Vietnamese Hackers Linked to 'Malverposting' Campaign

Written by

A recent ‘malverposting’ campaign linked to a Vietnamese threat actor has been ongoing for months and is estimated to have infected over 500,000 devices worldwide in the past three months alone.

The claims come from security experts at Guardio Labs, and were published in a blog post on Wednesday. 

In it, the team described malverposting as “the use of promoted social media posts and tweets to propagate malicious software and other security threats,” and in this case, the abuse of Facebook’s Ads service to deliver malware.

“The initial enabler for those numbers is the abuse of Facebook’s Ads service as the first stage delivery mechanism responsible for this mass propagation,” wrote Nati Tal, head of cybersecurity at Guardio Labs.

Read more on ads-based malicious campaigns: SYS01 Stealer Targets Critical Infrastructure With Google Ads

The Guardio team observed that the Vietnamese campaign relied on malverposting while it evolved various evasion techniques. It particularly focused on the USA, Canada, England and Australia.

“This threat actor is creating new business profiles, as well as hijacking real, reputable profiles with even millions of followers,” Tal explained.

They also repeatedly posted malicious clickbait on Facebook feeds promising adult-rated photo album downloads for free.

“Once victims click on those posts/links, a malicious ZIP file is downloaded to their computers,” reads the advisory. “Inside are photo files (that are actually masqueraded executable files) that, when clicked, will initiate the infection process.”

The executable then opens a browser window popup with a decoy website showing related content.

“While in the background, the stealer will silently deploy, execute and gain persistence to periodically exfiltrate your sessions cookies, accounts, crypto-wallets and more.”

Tal clarified that the team observed several variations of the latest payload, yet all shared a benign executable file to start the infection flow.

“The malicious payload is quite sophisticated and varies all the time, introducing new evasive techniques,” the security expert wrote.

“As we’ve seen, it takes time for security vendors to fingerprint it and create relevant verdicts to block — especially when it’s done out of context.”

The Guardio Labs advisory comes weeks after security experts at Group-IB unveiled a phishing scheme aimed at Facebook users and relying on over 3000 fake profiles.

Editorial image credit: BigTunaOnline /

What’s hot on Infosecurity Magazine?