{
	"id": "d979172d-d9df-40ac-908f-bcc87af4da53",
	"created_at": "2026-04-06T00:16:36.346073Z",
	"updated_at": "2026-04-10T03:21:01.864389Z",
	"deleted_at": null,
	"sha1_hash": "f89cb523137d17900c49ba53bd6597fbb284c5c8",
	"title": "NodeStealer 2.0 – The Python Version: Stealing Facebook Business Accounts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2866166,
	"plain_text": "NodeStealer 2.0 – The Python Version: Stealing Facebook Business\r\nAccounts\r\nBy Lior Rochberger\r\nPublished: 2023-08-01 · Archived: 2026-04-05 16:18:23 UTC\r\nExecutive Summary\r\nUnit 42 researchers have recently discovered a previously unreported phishing campaign that distributed an\r\ninfostealer equipped to fully take over Facebook business accounts. Facebook business accounts were targeted\r\nwith a phishing lure offering tools such as spreadsheet templates for business. This is part of a growing trend of\r\nthreat actors targeting Facebook business accounts – for advertising fraud and other purposes –  which emerged\r\naround July 2022 with the discovery of the Ducktail infostealer.\r\nAbout eight months later, in March 2023, FakeGPT, a new variant of a fake ChatGPT Chrome extension that\r\nsteals Facebook Ad accounts, was reported. Unit 42 also reported on ChatGPT-themed scam attacks in April 2023.\r\nIn May 2023, a report from Meta of new information-stealing malware named NodeStealer surfaced, which\r\ndescribed malware that was compiled in July 2022 and malicious activity involving NodeStealer that was\r\nidentified in January 2023. NodeStealer allowed threat actors to steal browser cookies to hijack accounts on the\r\nplatform, specifically aiming toward business accounts.\r\nWhile investigating the growing trend, we came across a campaign that started around December 2022, and has\r\nnot been previously reported.\r\nThe infostealer distributed in the campaign shares multiple similarities with the NodeStealer variant compiled in\r\nJuly 2022 that Meta analyzed, which was written in JavaScript. However, the new campaign involved two variants\r\nwritten in Python, improved with additional features to benefit the threat actors. The threat actor equipped these\r\nvariants with cryptocurrency stealing capabilities, downloader capabilities and the ability to fully take over\r\nFacebook business accounts.\r\nNodeStealer poses great risk for both individuals and organizations. Besides the direct impact on Facebook\r\nbusiness accounts, which is mainly financial, the malware also steals credentials from browsers, which can be\r\nused for further attacks.\r\nIn this article, we will shed some light on the unreported phishing campaign targeting Facebook business accounts\r\nand will provide a deep dive analysis of the malware. In addition, we will show the execution of the malware\r\nthrough the lens of Cortex XDR (set to detect-only mode). We will provide recommendations for how Facebook\r\nbusiness account owners can protect their accounts.\r\nWhile this specific campaign is no longer active, we have indications that the threat actors behind it may continue\r\nto use and evolve NodeStealer or use similar techniques to continue targeting Facebook business accounts. It is\r\nalso possible that there may be ongoing effects for previously compromised organizations.\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 1 of 21\n\nPalo Alto Networks customers also receive protections against NodeStealer in the following ways:\r\nOrganizations can engage the Unit 42 Incident Response team for specific assistance with this threat and\r\nothers.\r\nCortex XDR and XSIAM agents help protect against the threats discussed in this article, providing a\r\nmultilayer defense that includes behavioral threat protection and exploit protection.\r\nThe Advanced WildFire cloud-delivered malware analysis service accurately identifies known samples\r\nrelated to these threats as malicious.\r\nAdvanced URL Filtering and DNS Security identify URLs and domains associated with this campaign as\r\nmalicious.\r\nNext-Generation Firewall with Advanced Threat Prevention security subscriptions can help block samples.\r\nPhishing Campaign\r\nFrom the telemetry available to us, the main infection vector for the infostealer was a phishing campaign. The\r\nphishing campaign took place around December of 2022 and was used for delivering two variants of the stealer,\r\nwhich we will refer to as Variant #1 and Variant #2. The differences between them will be described in the next\r\nsections of this article.\r\nThe main theme of the campaign was advertising materials for businesses. The threat actor used multiple\r\nFacebook pages and users to post information luring victims to download a link from known cloud file storage\r\nproviders. After clicking on it, a .zip file was downloaded to the machine, containing the malicious infostealer\r\nexecutable.\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 2 of 21\n\nFigure 1. Facebook phishing post luring victims to download the infected .zip file.\r\nVariant #1 Analysis\r\nThe first variant of the infostealer in the campaign was internally named word.exe. It was compiled with Nuitka,\r\nand the threat actor used a unique product name for the files: Peguis.\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 3 of 21\n\nFigure 2. Metadata for word.exe.\r\nVariant #1’s process tree is quite “noisy,” meaning it creates multiple processes and performs many actions that\r\nare considered as indications of abnormal activity, and not very clandestine, including pop-up windows presented\r\nto the user.\r\nMain Features\r\nAs mentioned earlier, NodeStealer targets Facebook business accounts. Variant #1 has some additional features\r\nthat enable it to do much more than that. Here are the main features of Variant #1:\r\nStealing Facebook business account information\r\nDownloading additional malware\r\nDisabling Windows Defender via GUI (graphical user interface)\r\nMetaMask (cryptocurrency wallet) theft\r\nStealing Facebook Business Account Information\r\nThe first thing the malware does when executing is check if there is a Facebook business account logged in to the\r\ndefault browser on the infected machine. It does that by connecting to\r\nhttps://business.facebook.com/ads/ad_limits/ and checking the header.\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 4 of 21\n\nFigure 3. Stealing information using Facebook’s Graph API.\r\nIf there is indeed a Facebook business account logged in, the malware connects to the Graph API –\r\ngraph.facebook.com – with the user ID and the access token stolen from the header.\r\nAccording to Meta, “The Graph API is the primary way to get data into and out of the Facebook platform. It's an\r\nHTTP-based API that apps can use to programmatically query data, post new stories, manage ads, upload photos,\r\nand perform a wide variety of other tasks.”\r\nNodeStealer uses the Graph API to steal information about the target, including: followers count, user verification\r\nstatus, account credit balance, if the account is prepaid, and ads information.\r\nThe malware also gets the content of a Facebook JavaScript module AdsLWIDescribeCustomersContainer by\r\nsending a request to https://www.facebook.com/ajax/bootloader-endpoint/?\r\nmodules=AdsLWIDescribeCustomersContainer.react.\r\nThis JavaScript module is a part of Facebook's advertising platform and is used for describing and managing\r\ncustom audiences in Facebook Ads. Custom audiences allow advertisers to target specific groups of people based\r\non their demographics, interests, behaviors or other criteria. The malware steals this information and sends it to its\r\ncommand and control server (C2).\r\nIn addition to stealing information about the Facebook business account, the malware also aims to steal those\r\naccounts credentials. In order to do so, it checks for Facebook users and passwords within the cookies and local\r\ndatabases of the following browsers: Chrome, Edge, Cốc Cốc, Brave and Firefox.\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 5 of 21\n\nFigure 4. Stealing passwords from browsers’ databases.\r\nFigure 5. Alerts for the execution of NodeStealer, as shown in Cortex XDR.\r\nThe malware then exfiltrates the output files through Telegram and deletes the files to remove its tracks:\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 6 of 21\n\nFigure 6. Exfiltration through Telegram.\r\nFigure 7. Tracks removal by NodeStealer.\r\nDownloading Additional Malware\r\nVariant #1 is configured to download two .zip files from the following URLs:\r\nhxxps://tinyurl[.]com/batkyc, which redirects to hxxp://adgowin66[.]site/ratkyc/4/bat.zip\r\nhxxps://tinyurl[.]com/ratkyc2, which redirects to hxxp://adgowin66[.]site/ratkyc/4/ratkyc.zip\r\nBat.zip contains the ToggleDefender batch script that disables Windows Defender, and Ratkyc.zip contains three\r\npieces of malware:\r\nBitRAT named COM Surrogate.exe\r\nA hidden virtual network computing (hVNC) RAT named Antimalware Service Executable.exe\r\nXWorm named Host Process for Windows Tasks.exe\r\nIn order to download the .zip files, the malware implements the FodHelper UAC bypass. Using this method, the\r\nattackers attempt to bypass User Account Control (UAC) and execute the PowerShell scripts used to download the\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 7 of 21\n\nabove-mentioned zip files.\r\nFigure 8. FodHelper UAC bypass encoded command in NodeStealer.\r\nThe base64 compressed command translates to the following:\r\nBelow is the execution flow of Variant #1, when Cortex XDR is set to detect-only mode:\r\nFigure 9. Execution flow for Variant #1, as shown in Cortex XDR, set to detect-only mode.\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 8 of 21\n\nAfter downloading and extracting the files, NodeStealer sets persistence for the three pieces of malware (BitRAT,\r\nthe hVNC RAT, and XWorm), as well as for its own binary (word.exe), via the registry run keys.\r\nDisabling Windows Defender via GUI\r\nBesides the ToggleDefender batch script, Variant #1 uses another technique to disable Windows Defender, this\r\ntime using the GUI. This is a very noisy approach, since the end user would be able to see the Windows Defender\r\nGUI pop up on the machine and the malware acting to disable it.\r\nThe commands used to open the GUI and disable Windows Defender are shown in Figure 10 below.\r\nFigure 10. Commands used to disable Windows Defender.\r\nMetaMask Theft\r\nThe malware also tries to maximize financial gain by stealing MetaMask credentials from Chrome, Cốc Cốc and\r\nBrave browsers.\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 9 of 21\n\nMetaMask is an extension for accessing Ethereum Wallets through the browser. Stealing credentials for this\r\napplication allows the attackers to steal cryptocurrency from the user’s wallets.\r\nJust as it did in stealing Facebook cookies and credentials, the malware extracts the local databases used to store\r\nbrowsers’ information. It searches within them for the extension nkbihfbeogaeaoehlefnkodbefgpgknn, which is the\r\nextension of MetaMask when installed directly from the extension store.\r\nThen, the malware copies the data into a file and exfiltrates it using Telegram, in the same fashion it did with the\r\nFacebook credentials.\r\nFigure 11. Stealing MetaMask credentials from a Brave browser.\r\nVariant #2 Analysis\r\nThe second variant of the infostealer in the campaign was internally named MicrosofOffice.exe and was compiled\r\nwith Nuitka, same as the first variant. Unlike the first variant, it does not generate a lot of activity visible to the\r\nunsuspecting user. For this variant, the threat actor used the product name “Microsoft Coporation” (originally\r\nmisspelled by the malware authors).\r\nFigure 12. Metadata of Variant #2 masquerading as MicrosofOffice.exe.\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 10 of 21\n\nMain Features\r\nLike the first variant, Variant #2 targets Facebook business account information and MetaMask wallets, but it goes\r\nbeyond by:\r\nAttempting to take over the Facebook account\r\nImplementing anti-analysis features\r\nStealing emails\r\nTaking Over the Facebook Account\r\nVariant #2 attempts to purchase an online email service provided by a legitimate Vietnamese website\r\n(hotmailbox[.]me). It attempts to do so using an embedded API key that holds a credit balance for that specific\r\nservice: https://api.hotmailbox[.]me/mail/buy?apikey=\u003credacted\u003e\u0026mailcode=HOTMAIL\u0026quantity=1.\r\nFigure 13. Purchasing mailbox service from hotmailbox[.]me.\r\nFigure 14. Credit balance for the API key used by the malware.\r\nIf the purchase attempt is unsuccessful, the malware tries to purchase a mailbox service from another Vietnamese\r\nwebsite (dongvanfb[.]net), again, using an API key that holds a dedicated credit balance —\r\nhttps://api.dongvanfb[.]net/user/buy?apikey=\u003credacted\u003e\u0026account_type=1\u0026quality=1.\r\nFigure 15. Purchasing mailbox service from dongvanfb[.]net.\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 11 of 21\n\nIf the purchase attempt succeeds, the malware saves the email and password for the new mailbox, which will be\r\nused in the next phase of the campaign.\r\nNext, the malware modifies the account email address for the Facebook business account of the victim, using a\r\ntechnique that doesn’t require verifying the password using the following URL:\r\nhttps://www.facebook[.]com/add_contactpoint/dialog/submit/.\r\nIf needed, the malware sends a request to get the Facebook authentication code via email by sending a request to:\r\nhttps://getcode.hotmailbox[.]me.\r\nFigure 16. Code for requesting the Facebook authentication code from hotmailbox[.]me.\r\nThe malware then checks the updated email to see if the modification was successful:\r\nFigure 17. Checking the updated email for the Facebook account.\r\nIf successful, the attackers have now taken over the Facebook account by replacing the legitimate user’s email\r\naddress with a mailbox under their control.\r\nReading Emails\r\nIn addition, the malware has a function that parses emails, so it can read the victim’s emails. It is possible that the\r\nthreat actor added this functionality to potentially interfere with any Facebook alerts notifying the victim of the\r\nconfiguration changes, though we did not directly observe activity of this kind.\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 12 of 21\n\nFigure 18. Function that is responsible for reading emails.\r\nAnti Analysis and Anti VM\r\nIn several samples of Variant #2 that were analyzed, the threat actor added a simple function to check for the\r\npresence of several malware analysis tools and virtual machine processes. If one of them is running on the system,\r\nthe malware terminates itself.\r\nFigure 19. Anti-VM and anti-analysis function.\r\nDifferences Between the NodeStealer Variants\r\nAs mentioned above, there are similarities between the two variants of NodeStealer analyzed in this article, but\r\nthere are many differences as well. To put things into order, below is a table that compare the main features of\r\nNodeStealer in the version reported by Meta, as well as those found in the different variants:\r\nTable 1. Comparison of NodeStealer and the two variants.\r\nVietnamese Threat Actor\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 13 of 21\n\nInterestingly, both Ducktail and NodeStealer were previously suspected by Meta to originate from threat actors\r\nbased in Vietnam.\r\nThe suspected connection between the NodeStealer malware and a Vietnamese threat actor can be explained in\r\ndifferent ways.\r\nThe first finding that may indicate this connection is that in the Python script of both variants analyzed in this\r\nblog, we came across many strings in Vietnamese. For example, see Figures 20 and 21.\r\nFigure 20. Translation of the string “TongChiTieu” found in NodeStealer.\r\nFigure 21. Translation of the string “ThoiGianCheck” found in NodeStealer.\r\nThe second indication of the suspected connection to threat actors based in Vietnam is that the attackers targeted a\r\nbrowser named Cốc Cốc, which describes itself as “the web browser and search engine for Vietnamese people” on\r\nits About Us page.\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 14 of 21\n\nFigure 22. Wikipedia description for Cốc Cốc software.\r\nThe third indication of a suspected Vietnamese connection to NodeStealer was found in Variant #2. This variant,\r\nas described earlier in the article, attempts to purchase an online mailbox service from two different Vietnamese\r\nwebsites: Hotmailbox[.]me and Dongvanfb[.]net.\r\nConclusion\r\nIn this article, we uncovered a campaign of the NodeStealer malware that targets Facebook business accounts. As\r\npart of the campaign, two variants of NodeStealer were discovered, Variant #1 and Variant #2. Analyzing the two\r\nvariants revealed some interesting behavior of the malware that includes doing much more than its original\r\nintentions, all likely to increase the potential profit for the threat actor.\r\nThe threat actor, who is suspected to be of Vietnamese origin, provided the new variants with cryptocurrency\r\nstealing capabilities, downloader capabilities and the ability to fully take over Facebook business accounts. The\r\npotential damage for both individuals and organizations can be reflected not only in financial loss, but also in\r\nreputation damage for a target.\r\nWe encourage all organizations to review their protection policies and use the indicators of compromise (IoCs)\r\nprovided in this report in order to address this threat. Facebook business account owners are encouraged to use\r\nstrong passwords and enable multifactor authentication. Take the time to provide education for your organization\r\non phishing tactics, especially modern, targeted approaches that play off current events, business needs and other\r\nappealing topics.\r\nProtections and Mitigations\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 15 of 21\n\nSmartScore, a unique ML-driven scoring engine that translates security investigation methods and their associated\r\ndata into a hybrid scoring system, scored an incident involving NodeStealer an 86 out of 100, as shown in Figure\r\n23. This type of scoring helps analysts determine which incidents are more urgent and provides context about the\r\nreason for the assessment, assisting with prioritization.\r\nFigure 23. SmartScore information about an incident involving NodeStealer.\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\nthreat:\r\nWildFire, our cloud-based threat analysis service, accurately identifies the samples as malicious.\r\nAdvanced URL Filtering and DNS Security identify URLs and domains associated with this group as\r\nmalicious.\r\nNext-Generation Firewall with Advanced Threat Prevention security subscriptions can help block samples.\r\nCortex XDR detects user- and credential-based threats by analyzing user activity from multiple data\r\nsources, including endpoints, network firewalls, Active Directory, identity and access management\r\nsolutions, and cloud workloads. It builds behavioral profiles of user activity over time with machine\r\nlearning. By comparing new activity to past activity, peer activity and the expected behavior of the entity,\r\nCortex XDR detects anomalous activity indicative of credential-based attacks.\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 16 of 21\n\nFigure 24. End user notification for blocking both NodeStealer variants.\r\nIt also offers the following protections related to the attacks discussed in this post:\r\nPrevents the execution of known malicious malware, and prevents the execution of unknown malware\r\nusing Behavioral Threat Protection and machine learning based on the Local Analysis module.\r\nProtects against credential gathering tools and techniques using the new Credential Gathering Protection\r\navailable from Cortex XDR 3.4.\r\nCortex XDR Pro detects post-exploit activity, including credential-based attacks, with Cortex Analytics and\r\nthe ITDR module.\r\nIf you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nURLs\r\nhxxps://tinyurl[.]com/batkyc\r\nhxxp://adgowin66[.]site/ratkyc/4/bat.zip\r\nhxxps://tinyurl[.]com/ratkyc2\r\nhxxp://adgowin66[.]site/ratkyc/4/ratkyc.zip\r\nFree 1,000 professional Excel templates.rar\r\n1a4e8bcf7dc4ad7215957210c8e047f552b45a70daf3d623436940979c38f94c\r\n92657c3a108bbedc6f05b4af0a174e99a58e51e69c15c707d9c9cc63cdf1b4ea\r\nfed5ea7840461984fa40784d84ed1a0961cbf48b03d8b79c522286bf6e220922\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 17 of 21\n\nWord.exe\r\n001f9d34e694a3d6e301a4e660f2d96bc5d6aa6898f34d441886c6f9160d9e48\r\nfa5b9b72f248e1f79b3a424b61a1bcce8bf6a99452545cfe15d7211f3eb3e93b\r\n44dabadbf099bdb28fdc4d86cebe53c00085c9c2ad52df4d4774320409e7358b\r\n1998492619c1fc6a5b78d5c4c6beb05c582a1be6ad2b9ac734179c731bbcf5cc\r\ne856cc78ce1603547bb6fdb3eb9da137f671e9547c072abea63b0248ec82ecb1\r\n6d12c657ee403272cb3115fd0a6cf1ffe69cd4476c5a03bbc13c624ddd153518\r\na6509563be7a8569e05198858658b8934d7bc5ad3d41e9806e261995c99a6acf\r\na8adea800186dd52173dc6e55c46aa0b3619bef3eee25b17b7edba9353d5d08e\r\nf61403729e3f4e212411db486a537eabca2d0b84be21b789cddca4fc3aa85923\r\n3fff146c3e50a7ddc7e446ae51742c59c3d3277931f3c511d9651497e4ab14a7\r\n9a551426cbb2cd7aded923f277eec195a282913d51c41f1791683e03a85379e0\r\na8608b8537338659943802bd4c3f37465b6b7146c60088e890f1201452690510\r\nf08394c78f40c3028156c78672d1a8030c64a9f292b1fbb4bd42437381c96a54\r\n2335a5b90cbf40f0bfe6434c7e9b461ab1ed8f470a9c3d5703d430af30cf5371\r\na03f37bb04dbd0f602ad8f5e52e87650ecf8fc57763c043de436996ce222e81d\r\n22d57a535c226b514da92d0dcc902f0029414c5f2b1141bc14ac9a057c791414\r\n7bf3d295fc8d2605528331c0da32d83f2b98489884bd92a24b71425fa13290db\r\neac6574eb3b1a6bf9818136875378ee2362901092b61d221541977925076edf3\r\n7c59713b5ae4dd41c94cda9c2cb15a2e6173b886157a2ba5a68842cc7bdde698\r\nbd14e501b49bb332fd102f65558be47e762ff8885d9c7dfe6c152597603664f1\r\n34353c1734066cd11b1c002f770834d392aa225434e1bc8b4ec65ef753241e23\r\n2e56a8e4002de238bd1b792d495f59edd598cda49d649d42112f951ecb003432\r\n77459352c074012c1e0d010e2b8792d08f36ca6f7bf4882b2db2af4aa1944e5f\r\nc8d4f567e2162fce6b49c15ca0908f9e3171e6bb6acbfd2c7b129872053b025d\r\ndccc95c28bbc1f049c06e7b3a9866a920c4c4081e3176b26fc6aea2cb59daed7\r\n8582241f8e0163f6360486e9b59e54c91dd3219538e03619e9e999f90aa92f81\r\nfab5abe774e1af199da4b85df87077e2e8f66c6f00f083b9074fd2186e455bfb\r\n9dba2cef0e28a24b59eda107633528cd83257f033a5d4330cf3302943b3e07c2\r\n440541d9e9c4d1fa8a1f33ce8c434ace11786e278278df7a600978290b33e93f\r\n009827ab2624370ded2cb8240ca2fe82af36e3a94cff1f8a2eac574b4b928c4e\r\nbfb4f44e8dd9c0a708df89f0f114b523c446baaee19205d62ad99bb53a8b5935\r\n50b5ab35c1e78429fdcdd45e2a0ceacc140fbf4022f7c34bac4b5f296a17379a\r\nbd16e9d3f730df6b88fff91485d3d27e544f3bb819347b0886806b1c14cbd575\r\n9b1dcde16f34ac3d5abc15510060cd1692591054988416167dae3c4643e5796c\r\n57c234dc3a210467b990c16092fbd3af2dc0aaf8aabbdfa1b566138b2abc5e82\r\n2cabb8e10c5ad57788d99f5218a1248e0ada9a5bdbd5f976d9523b2e4a47aacf\r\na62acb65022abbd849e0a741a17485156333fbfe26f32c50654b3818335c1d0d\r\n989f62528b32d47e50f1bd61cc7dc2e9cb25f54514374902d8a9ce41fcfcd779\r\na45ff2f03d88abfb949b8c8f40fa08fa7e72d22e756716f8dc18e2f34376b722\r\n7072dbc19da9713c997cdbcacbc68ca709e900d44bb3572bc34fb3c91ecbea9f\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 18 of 21\n\nce6314bfe207e4106df4249452b654ffa892a1bd45bc7ff9d6871b1dbe8e3e3b\r\nd3e1060a003f6a8073dea4f6c976f552372cd4ab9251953c0932be22c6f6605f\r\n41a09e66c24953c7cb19f4a09b0779c8e9bcb39f0e544d0bdc9760c9b3d56e03\r\n9282f4b1fa8ecf1273ddf3291abcc8fc073b2e99a00f70985077197112a46c4c\r\na41b170f554a752a23769b28f3fa93703fa160b74897a8f35078d1e8923b91b0\r\n4316a560734e68303860899d0f2b07a9ef4618647da2e8ad38bab70a4e532f88\r\nfe434fff6becc2d829bbfed6ba9bf88154028d0327e7c6aa870ad050235fc334\r\nb87ead56ff364a052619c373b8c06d2150561196f87e584590f67a341ba78abc\r\n92eba1a137918f99fbe15651568b8b76ad5f59788b1bce9076bfb33bbc3484de\r\n1ada42adb9ee65aa02d5eb9d24d3455df61c85f69e84f310b9630d62ca83a518\r\n6777bbf5fd14eb1a7e81de33c477ac5ba4f446699df447995e8d362a8438a0a3\r\nd12196087135b9383a4e9820d27625c059511c4776593a4d2eb83409a96af3a5\r\nea96973f3d71cccad26bce7f106f5800fcb007cf33d82fa00f5d564994397153\r\nf31e2c430d4a8b17b45591bf68e5c4c7f7c28e4ccbd4cabcd10c33ba14b388c3\r\nf80700c220246238507cf5eedcb2e1397c32b3646bb90ad990e7fb69199752b5\r\n415d70be7a2e3ae8fd2babc929c3110fce7ce66d23ec32c473c6aab73c5c00f8\r\n4932514acfad25c7b2a1631706aef8d91a415315e5207e1bc9a24791298e6319\r\n9ecba5aa60b9c202b1c69aade1edabb1c04072471a3618a5d714aa8833d570f4\r\n38cbccea7c9f3032a8348e54bb94871b26279a7cca64f5b79c3fa54c240960d2\r\n4f91fdf024b54ad650c13f7ffe1a7f3eb6cad66eb457e8a7fe494cf9bdb6f42a\r\nMicrosofOffice.exe\r\n3ab41e160854a686baf56e5032b933778663c37e03d148d3bf669a6c3228f6da\r\n565bc8725a1ae03e534f66ad8995854d24ba3893fe37c8e3e13c58874129849b\r\nc8fee685d506575138c8b02f118323ca586f62a6e80edf1d726fd555a1c386ba\r\n91b975e87d8d6469683168a48ca0bc11a333e3f5692f224d33f2008573173cc6\r\n5049de4c58ea923723389e4d732f1c134dc38582971f4872593e1153db945078\r\nb2d44e572933ff26977e25a254c0ce705939fac9f422871fd22a875323487bcf\r\ne90f31c41a64ce85abfa284126e63b693088934fd83ef8fea13724810f394efa\r\n3064aa87c463adda7752b84cd18e2e859723a9953e090f7757edf7ce4b96e536\r\n3366f47822b72445aa06d2e2c455dd4816e5df2f83e7bd03f21e77b1cb2b8948\r\na9aae05b05f42bd3d1f9d7894a68db976977573741ddcdf6f388b7d685765564\r\nbf3b35d225b2ec555ad06eb1dd0af464bb48596bebb0b2543eaf9e060f0fb1b9\r\n6660776dfecf917cfbd51a0fa853052005f3d4a136c1edce0a3d6b7002c3f48e\r\ncc03f53a7a85d9b1b28a6422556b295cb9b00e93b5afc96559140f32f96305e9\r\nd4f8813b0aba21d6021719d022fcc6feab5cdd6e2a999dfe178347a394abfb84\r\n346d51b00a14087bcd63f063e4a3f572f49b1c41a5c60fa03095aac42837a7ce\r\nc150086d14539040556c3c91c93c31395d23ee7bc348bd3dc1d0afa0ff9365bb\r\nb07091d52014cf11c58f07f676eb150db006d9f9274ce6888d5aa8d7a6e4f793\r\nf66434337a25804da491d45a7108eab49ad0de1b2b26f41650ae9567ec45a02a\r\n1a06498f31a70b7d3fe043269cc87dcd70528a9303af3fa66933ceaa372006b3\r\n43dd5f8d2a5bea2751bf8d02920038e93df6ba3b8f5c0b1193fa70cac1e9b9a2\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 19 of 21\n\n8896c07441ce8799660c1d94d64231a41735bac10a2e984838bc21a2682c9c99\r\n9d3ccd754f7e0b891fcad461df92746f52abcf727082750e3aefade7531f162e\r\n0901d9b4ad36a264904bb41b555b32c87790e7861969fa7495da7892aef8f67c\r\n65db46d1f48c9c15fe97147ee918fae626225c5603293b72da8e484a9c91123f\r\n9fe91d63d63f7667c1879f7ea3e31b9d6dacc2d3216df2b47392bb1dff741f89\r\ncd06ab37c8e4d6e4264f2ac0949ab7694eb5cc11925853a50c33b13b012eca6f\r\n466158cf86c8f14d125d661f75fe0c4c2410e2896eaabd90b1d28137b7df81b3\r\nfe1608dbfa620231ee9649a4687ac03c2acfbcec9b7ab49da06e182209c31eb5\r\n242e8e1ff2608f5c9fa80b89b31f605bb9432b15dace2eba961605b245d577d5\r\nc272d218f34bc65e6753e7ece1fe6e56799782678a66a5084e71bbb8690fe724\r\n2a685317d74f78e8d627791ccf6ffec9e2a8690e4bffacbbffab934b12669ae9\r\ne5026d9327dd19c8749ef1d93ebfbd7c1d3c3e1055bb2c1efc7ed261d7dd16de\r\nbb500217f8940a3491cb69a26d10b5753e3ef1fab59909d88a12dba44344df1e\r\n2fdac894299a2889c36959e34bacd3898029974af1b2f60552534454c54bd976\r\nbb8a127d9f8eb5c598617682a4ab29ee023ae8f40428c6076b0b493116eca8bb\r\n7aa48f6531c6d6dd7b60a4c6d10cacc69bdee98034b25379a04a8e308dece36f\r\n1ebba84f9352bd171f241bc5d0e06af3145a050fd3e063c503d78085aeba2c34\r\ncfb50c7fe40334c1f52759a08289e36be0ada9056e3dcb22898efd8187b6464d\r\n9a6eae518100361b3e3fd4f34877623af5544e2b95cdf29a7e9e2d91e4baa271\r\nd9524819eeb3ef9268d526703af8a7921a5d98429341834eb84f04b9edb34b64\r\nf51880293a2bd24da4182965ad5c9b4936eab23a20ed0b4264b75d6c3a3eeac5\r\nd117bdaeee8d1f3cca5c685930f19754b82ffbd6de8f2a6dc1895fee1a00e220\r\nbf71b31e2612441e28df35f7e4ae56616ded9c6802758b010007b49e05876011\r\n61237de2472bbf39086a18d462fd5fd9649292d17fe630f1dd550159e26d711e\r\n31038f33d8d757c19050d41e62036a85026bbe99d37fd806fdde7f261fd2651b\r\nf4b6a051789ba7b245db69a3b56dee1404b3f9eff9c7e7c80c54328bedcc44e9\r\ncdcaf4ecae94421503364d28ef72eb65a83f300980cd1a8ba02bea1c29e193ec\r\nb78a980b66327c4e45f95f2e0fc2dbaffebcac00107cd16ac2d2c2a42618e645\r\nf2548fd9d622dae1b21e18323a2d8dca2f7670789dfbb5f6d32320f4fd289039\r\n65669e873a3732f1617c9c80667a1c3efda5f72538b5abd475e80a25efc0e5e2\r\n3984a025b7fb7c5ada86da0b4fa32bef88eb2a01fb337a7f73619cb716c859ab\r\n0d313ad0b46218acfc25fae744b53eb539169e56f9976eec47f37d99ebce510c\r\n834215c7226d28be513562991cacd7f56f4914b8ae1e27ff3ae85ca82e208605\r\nfddb2fc6c63d33500f3ef0d8c3fe212abe21044820a2524379904131e7f11765\r\n86424c0a908fc3d651d86bc7c3d87ce38ef626516f48a160e2cfcf2630a1e9b8\r\n9f85de94a15c5c93a88375d9aacb9f9e111cedec611ee4f2b58a53727db92a88\r\n825379e514d1a0383120735c4c19530a3d4130d5e77ff51b7bb2eb3b6ca1d704\r\n9274f0391add4a1ac7c90942628a9fd80a9fca3d11aabb74b4e385eee4f66354\r\n45a6c41111677c6374899475aa253f713a08158ce9b5dbd7566e15eda1e61a0a\r\nc37ee014b97eddbd9060e6bc3a27ec5de2c37a03c45f3a50fd9420a847145a20\r\n1ed522e66e9ddcc97ded3e008c014500e3c3e22a1db995199baa52a7dc93845b\r\n843028f3054707843ebc650a01b1ded0414d6933525cb056cf5a66a49afe3022\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 20 of 21\n\nfd47754e9476d5d5969cd1c2db1a4d3203ab50e4b92e31bc7cc02945b8d2857e\r\n774bb5ed2bcb6ebd9cbd6b53e4dc1a352df58dfda17ef11da9c8ffa4d4851681\r\n283570b242e8de90f3ad4b9f332c03eefc3c8464981d1ad072cc061f9e29ce97\r\n1cf31091a0e6d9dade4675497593d04815d7ba22b0b018d06358211f3429ab49\r\nBat.zip\r\n1f093f818d2d3bd146c34d10bdb9de0a33931d3586f0bb942f881052a20114f9\r\nRatkyc.zip\r\n14000dc5c64ad50e534739afa86ce37c30b04a8aba48feb0f645b0a74b545744\r\nSource: https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/"
	],
	"report_names": [
		"nodestealer-2-targets-facebook-business"
	],
	"threat_actors": [],
	"ts_created_at": 1775434596,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f89cb523137d17900c49ba53bd6597fbb284c5c8.pdf",
		"text": "https://archive.orkl.eu/f89cb523137d17900c49ba53bd6597fbb284c5c8.txt",
		"img": "https://archive.orkl.eu/f89cb523137d17900c49ba53bd6597fbb284c5c8.jpg"
	}
}