{
	"id": "ddfd5262-5b6b-46f9-8d9d-caa9f0b0ab4e",
	"created_at": "2026-04-06T00:09:15.679124Z",
	"updated_at": "2026-04-10T03:21:12.218172Z",
	"deleted_at": null,
	"sha1_hash": "b7bec76e6e66d47988b8d591dd67e78f7a68ea52",
	"title": "Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 467753,
	"plain_text": "Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal\r\nCrypto and Credentials\r\nBy The Hacker News\r\nPublished: 2024-02-06 · Archived: 2026-04-05 17:03:57 UTC\r\nThreat actors are leveraging bogus Facebook job advertisements as a lure to trick prospective targets into\r\ninstalling a new Windows-based stealer malware codenamed Ov3r_Stealer.\r\n\"This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the\r\nthreat actor monitors,\" Trustwave SpiderLabs said in a report shared with The Hacker News.\r\nOv3r_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card\r\ninformation, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus\r\nproducts installed on the compromised host.\r\nWhile the exact end goal of the campaign is unknown, it's likely that the stolen information is offered for sale to\r\nother threat actors. Another possibility is that Ov3r_Stealer could be updated over time to act as a QakBot-like\r\nloader for additional payloads, including ransomware.\r\nhttps://thehackernews.com/2024/02/beware-fake-facebook-job-ads-spreading.html?m=1\r\nPage 1 of 4\n\nThe starting point of the attack is a weaponized PDF file that purports to be a file hosted on OneDrive, urging\r\nusers to click on an \"Access Document\" button embedded into it.\r\nTrustwave said it identified the PDF file being shared on a fake Facebook account impersonating Amazon CEO\r\nAndy Jassy as well as via Facebook ads for digital advertising jobs.\r\nUsers who end up clicking on the button are served an internet shortcut (.URL) file that masquerades as a\r\nDocuSign document hosted on Discord's content delivery network (CDN). The shortcut file then acts as a conduit\r\nto deliver a control panel item (.CPL) file, which is then executed using the Windows Control Panel process\r\nbinary (\"control.exe\").\r\nThe execution of the CPL file leads to the retrieval of a PowerShell loader (\"DATA1.txt\") from a GitHub\r\nrepository to ultimately launch Ov3r_Stealer.\r\nhttps://thehackernews.com/2024/02/beware-fake-facebook-job-ads-spreading.html?m=1\r\nPage 2 of 4\n\nIt's worth noting at this stage that a near-identical infection chain was recently disclosed by Trend Micro as having\r\nput to use by threat actors to drop another stealer called Phemedrone Stealer by exploiting the Microsoft Windows\r\nDefender SmartScreen bypass flaw (CVE-2023-36025, CVSS score: 8.8).\r\nThe similarities extend to the GitHub repository used (nateeintanan2527) and the fact that Ov3r_Stealer shares\r\ncode-level overlaps with Phemedrone.\r\n\"This malware has recently been reported, and it may be that Phemedrone was re-purposed and renamed to\r\nOv3r_Stealer,\" Trustwave said. \"The main difference between the two is that Phemedrone is written in C#.\"\r\nFurther solidifying the connections between the two stealer malware, the threat actor has been observed sharing\r\nnews reports published about the Phemedrone Stealer on their Telegram channels in an effort to build \"street cred\"\r\nhttps://thehackernews.com/2024/02/beware-fake-facebook-job-ads-spreading.html?m=1\r\nPage 3 of 4\n\nfor their malware-as-a-service (MaaS) business.\r\n\"My custom stealer is on the new[s], showing how evasive it is, im [sic] the developer of it, so happy now,\" the\r\nthreat actor, who goes by the online alias Liu Kong said, while also expressing frustration at the fact that threat\r\nhunters managed to \"reverse the whole exploit chain\" despite everything being \"on memory.\"\r\nThe findings come as Hudson Rock revealed that threat actors are advertising their access to law enforcement\r\nrequest portals of major organizations like Binance, Google, Meta, and TikTok by exploiting credentials obtained\r\nfrom infostealer infections.\r\nThey also follow the emergence of a category of infections called CrackedCantil that leverage cracked software as\r\nan initial access vector to drop loaders like PrivateLoader and SmokeLoader, when subsequently act as a delivery\r\nmechanism for information stealers, crypto miners, proxy botnets, and ransomware.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2024/02/beware-fake-facebook-job-ads-spreading.html?m=1\r\nhttps://thehackernews.com/2024/02/beware-fake-facebook-job-ads-spreading.html?m=1\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thehackernews.com/2024/02/beware-fake-facebook-job-ads-spreading.html?m=1"
	],
	"report_names": [
		"beware-fake-facebook-job-ads-spreading.html?m=1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434155,
	"ts_updated_at": 1775791272,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b7bec76e6e66d47988b8d591dd67e78f7a68ea52.pdf",
		"text": "https://archive.orkl.eu/b7bec76e6e66d47988b8d591dd67e78f7a68ea52.txt",
		"img": "https://archive.orkl.eu/b7bec76e6e66d47988b8d591dd67e78f7a68ea52.jpg"
	}
}