Fake Facebook ads for Windows desktop themes are actually sending out malware — here's what to know

A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.

(Image credit: Shutterstock / Thapana_Studio)

A new Facebook malvertising campaign has been discovered tricking victims looking for Windows themes and other software into downloading information-stealing malware.

As per the report from cybersecurity researchers Trustwave, threat actors have been abusing Facebook’s ad network to create malicious advertisements for things like Windows themes, top games, AI software, and more. The campaign, which also leverages LinkedIn and YouTube, has been active since at least September 2023, and is still active, at press time.

The victims don’t seem to belong to any specific cohort. Instead, the threat actors are seemingly casting a wide net and trying to infect as many people as possible. The infostealer used in this campaign is called SYS01 stealer, and it was first spotted by cybersecurity pros Morphisec in mid-2022.

Stealing Facebook Business accounts

As far as infostealers go, SYS01 stealer isn’t that much different. It grabs sensitive information such as login data, cookies, and similar information, from the target endpoints. It also hunts for Facebook ad and business account information, which it then uses to create additional malicious ads and further propagate the malware.

However, since its first detection in 2022, the infostealer has evolved to better evade detection and improve targeting. That being said, the latest variant can detect if it’s being reverse-engineered in virtual environments. The “construction of C2 domains, ad tagging, and hosting on Telegram are all novel and modified tactics,” the researchers added, highlighting the malware’s evolution.

Facebook, LinkedIn, and YouTube are gigantic social networks, used by billions of people every day. As such, they will always be a target of cybercriminals looking to deploy malware and ultimately generate profit. Trustwave believes malvertising threats are so pervasive that they “may never go away”, suggesting that consumers should be extra wary when looking for software, especially commercial products.

More from TechRadar Pro

This well-known infostealer is back with upgraded malware
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.