Threat actors are using fake Facebook job ads to fool victims into installing Ov3r_Stealer, a new Windows-based stealer virus.

Trustwave SpiderLabs told The Hacker News that “this malware is designed to steal credentials and crypto wallets and send them to a Telegram channel that the threat actor monitors.”

Ov3r_Stealer is designed to extract IP address-based location, hardware details, passwords, cookies, credit card info, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products from the infected host.

The campaign’s motive remains unclear; however, stolen data is often sold to other threat actors. Ov3r_Stealer may also be modified to deploy malware and other payloads, such as QakBot.

The attack initiates with a malicious PDF file seemingly hosted on OneDrive, enticing users to click on an “Access Document” button.

Trustwave discovered the PDF file posted on a fake Amazon CEO Andy Jassy Facebook account and Facebook advertisements promoting digital advertising opportunities.

Upon clicking the button, users are directed to a .URL file pretending to be a DocuSign document hosted on Discord’s CDN. A control panel item (.CPL) file is delivered through the shortcut file and executed by the Windows Control Panel process binary (“control.exe”).

Executing the CPL file triggers a PowerShell loader (“DATA1.txt”) retrieval from GitHub to execute Ov3r_Stealer.

Facebook Job Ads

Trend Micro recently uncovered that threat actors leveraged the Microsoft Windows Defender SmartScreen bypass vulnerability to disseminate Phemedrone Stealer through a nearly identical infection chain.

The GitHub repository (nateeintanan2527) and code-level similarities between Ov3r_Stealer and Phemedrone are noteworthy.

“This malware has recently been reported, and it may be that Phemedrone was re-purposed and renamed to Ov3r_Stealer,” warned Trustwave. “The main difference between the two is that Phemedrone is written in C#.”

Hudson Rock discovered that threat actors are advertising their access to Binance, Google, Meta, and TikTok law enforcement request portals, utilizing infostealer credentials.

Furthermore, they track CrackedCantil infections, where cracked software is employed to deploy loaders like PrivateLoader and SmokeLoader, leading to the delivery of information stealers, crypto miners, proxy botnets, and ransomware.



Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center