facebook malware

A “swarm of fake and hijacked personal accounts” are being used in a new phishing attempt that uses Facebook Messenger to spread messages with malware attachments with the ultimate goal of seizing control of the targets’ Business accounts.

This campaign, which once more has its roots in a Vietnamese-based organization, “uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods,” according to research by Guardio Labs researcher Oleg Zaytsev.

MrTonyScam attacks send messages to potential victims that tempt them to click on the RAR and ZIP archive attachments, launching a dropper that downloads the subsequent stage from a GitHub or GitLab repository.

This payload is another archive file with a CMD file inside of it. The CMD file then contains an obfuscated Python-based stealer that exfiltrates all cookies and login information from various web browsers to a Telegram or Discord API endpoint that is under the control of an actor.

By deleting all cookies after stealing them, the opponent can essentially log victims out of their own accounts. At that point, the con artists can hijack the victims’ sessions and use the cookies they acquired to change the victims’ passwords and take over their accounts.

The Python stealer’s source code has references in the Vietnamese language, and it also includes Cc Cc, a widely used Chromium-based browser, indicating the threat actor’s ties to Vietnam.

Guardio Labs discovered that the campaign has experienced a high success rate, with 1 out of 250 victims being estimated to have been infected over the last 30 days alone, despite the fact that the infection needs user input to download a file, unzip it, and execute the attachment.


Among other countries, the United States, Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam have reported the majority of the compromises.

“Facebook Accounts with reputation, seller rating, and high number of followers can be easily monetized on dark markets,” stated Zaytsev. “Those are used to spread advertisements and more scams to a larger audience.”

The information was revealed a few days after WithSecure and Zscaler ThreatLabz revealed fresh Ducktail and Duckport attacks that use malverposting techniques to target Facebook accounts and Meta Business.

In terms of capabilities, infrastructure, and victimology, “the Vietnamese-centric element of these threats and high degree of overlaps suggest active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) focused around social media platforms such as Facebook,” according to WithSecure.