Facebook Job Ads Spreading ‘Ov3r_Stealer’ to Steal Your Data

New data-stealing malware ‘Ov3r_Stealer’ was detected in Facebook ads. Hackers are trying to trick victims with Facebook job scams to steal their private and important data.

Trustwave SpiderLabs mentioned in their report that Ov3r_Stealer malware can steal victims’ login credentials as well as crypto wallets. This malware shares the stolen information with hackers through a Telegram channel. They further stated that it’s possible that Phemedrone might have been modified into Ov3r_Stealer since the only difference between the two threats is that Phemedrone is programmed on C#.

Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Your Data

About Ov3r_Stealer

Ov3r_Stealer targets data like passwords, crypto wallet, victims’ IP addresses, hard drive specifications, installed antimalware tools, and MS Office docs. etc. Although, as of now attackers’ end-goal is unclear behind this Facebook scam, however, security experts suspect that hackers might be aiming to sell this information online.

It is also quite possible that cybercriminals might use this stolen information to launch even severe attacks. This threat may be used as a payload for other harmful threats like Ransomware or Trojan. There is one more possibility which is even worse, hackers may try to blackmail victims.

Possible Impact of The Facebook Jobs Ads Scam:

  • Privacy risk, identity theft.
  • Severe Malware Attack.
  • Potential blackmail.
  • Financial fraud.

How Facebook Job Ads Scam Works:

Hackers use Facebook advertisement platforms to promote fake jobs pretending to be well-known companies. Unaware of the actual content, Facebook promotes these ads to the targeted audience. However, these ads are attached with PDF files weaponized with malicious codes. Once you click on the link to find out more about the opportunity, job specifications, and requirements, a short URL opens on the browser presenting DocuSign document. This document is hosted on Discord’s CDN.

This shortcut URL is created to deliver a (.CPL)  file, which runs on the Control Panel process binary (“control.exe”). Once executed, this control panel item file will download PowerShell loader named (“DATA1.txt”) from a GitHub repository. This PowerShell will finally launch and install Ov3r_Stealer in the targeted Windows PC exposing all your important information.

Connection Between Ov3r_Stealer And Phemedrone 

Trend Micro recently reported that hackers used an identical infection chain to drop another data-stealing malware, called Phemedrone Stealer. Hackers exploited the Microsoft Windows Defender SmartScreen bypass vulnerability (CVE-2023-36025, CVSS score: 8.8) to deliver this threat. The similarity between Ov3r_Stealer and  Phemedrone is uncanny, both malware uses the same installation, infection, and attack process.

A threat actor, known for using the alias Liu Kong, was seen bragging online about the stolen data taking credit for the malware. Additionally, this hacker also expressed frustration over the fact that security experts detected and reversed the hack.


Users are advised to practice caution while using social media. If something seems too good to be true, it probably is. Your social media accounts contain most of your important information including full name, address, pictures, people you know, places you like to visit, your pets, etc. Such details can be used against you in harmful ways including stealing your identity, stealing money, blackmail, and many more.

Therefore, it is very important to be careful about what you share online. Users must follow important security measures to keep themselves protected. creating a proper backup of important files and always updating it is essential. It’s also necessary not to turn off the system firewall and other security measures. Most importantly install a reputed antimalware tool that could provide your system with real-time threat protection.




About the author


Leave a Comment