top of page

Vietnamese threat actor behind "malverposting" campaign to infect 500,000 devices

Social media is a great way to connect with friends and family all over the world. But it's important to be aware that there are people out there who use social media for less than savory purposes. A recent study by Guardio Labs found that a Vietnamese threat actor has been using promoted social media posts to infect over 500,000 devices worldwide with variants of information stealer malware over the past three months. This type of attack, known as "malverposting," relies on unsuspecting users clicking on links that appear to lead to free adult-rated photo albums. But instead of photos, these ZIP archive files contain executable files that, when clicked, activate the infection chain and ultimately deploy the stealer malware. This malware then siphons session cookies, account data, and other information from the victim's device. The attack chain is highly effective as it creates a "vicious circle" wherein the information plundered using the stealer is used to create an ever-expanding army of hijacked Facebook bot accounts that are then used to push more sponsored posts, effectively scaling the scheme further. To slip under the radar of Facebook, the threat actor has been found to pass off the newly generated business profile pages as photographer accounts. A majority of the infections have been reported in Australia, Canada, India, the U.K., and the U.S. So what can you do to protect yourself from this type of attack? The best defense is always a good offense, so it's important to be aware of the signs of malverposting and other social media scams. Be suspicious of any posts that offer free downloads, especially if they come from accounts that you don't know or trust. If you're not sure whether a post is legitimate, err on the side of caution and don't click on any links. And finally, make sure you have a good anti-malware solution installed on your devices to protect yourself in case you do accidentally click on a malicious link.


bottom of page