{"id":53538,"date":"2023-09-05T00:00:00","date_gmt":"2023-09-05T00:00:00","guid":{"rendered":"urn:uuid:2295f63d-e2ac-348d-f02c-83aa087e3b6c"},"modified":"2023-09-05T00:00:00","modified_gmt":"2023-09-05T00:00:00","slug":"analyzing-a-facebook-profile-stealer-written-in-node-js","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/","title":{"rendered":"Analyzing a Facebook Profile Stealer Written in Node.js"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/fb-stealer-cov:Large?qlt=80\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/fb-stealer-cov.png\" class=\"ff-og-image-inserted\"><\/div>\n<p>After the stealing process is completed, the client sends another status message to the server stating that the stealing process has been completed. In the case of a server pushing a message during the stealing process, the client responds with a \u201cwait for the completion\u201d message.<\/p>\n<p>The reason for the implementation of handling such messages is the activation of the stealing process. The threat actor maintains an IP address list of infected clients that are just waiting for activation (by receiving a message). After the threat actor pushes a message to the clients, the stealing process restarts.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>The stealer focuses on the following web browsers:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Microsoft Edge<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Google Chrome<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Opera \/ OperaGX<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Brave<\/span><\/li>\n<\/ul>\n<p>For each browser, the stealer searches for available profiles in the <a href=\"https:\/\/chromium.googlesource.com\/chromium\/src\/+\/master\/docs\/user_data_dir.md\"><i>User Data<\/i><\/a> folder. It then collects the user home path, the profile path, the <i>User Data<\/i> path, and version information from the \\<i>User Data\\Last Version<\/i> file. Next, it extracts the encrypted key (used to decrypt Chrome cookies and passwords) from \\<i>User Data\\Local State<\/i> &nbsp;and decrypts it. Finally, it will kill the browser process.<\/p>\n<p>For each available profile, the stealer gets all saved cookies database from <i>&lt;profile&gt;\\Network\\Cookies<\/i>. It then checks if a Facebook cookie named <a href=\"https:\/\/cookiedatabase.org\/cookie\/facebook\/xs\/\"><i>xs<\/i><\/a><i> <\/i>is present. This cookie is a session ID that indicates whether a user is logged in to Facebook for that profile. If this cookie is not found, it skips the profile.<\/p>\n<p>It extracts all cookies belonging to Facebook, Google, and Outlook (live.com) and decrypts all of them with a key previously obtained from <i>\\User Data\\Local State<\/i>. It also retrieves the database of all saved login credentials from <i>&lt;profile path&gt;\\Login Data<\/i>.<\/p>\n<p>Furthermore, the stealer decrypts all Facebook, Google, and Outlook logins (usernames, emails and passwords) also using a key obtained from <i>\\User Data\\Local State<\/i>.<\/p>\n<p>It then checks if the MetaMask extension exists in <i>&lt;profile path&gt;\\Local Extension Settings\\<\/i>, after which it packs the whole MetaMask extension directory into a zip archive and exfiltrates it to the Telegram bot.<\/p>\n<p>It gets Facebook\u2019s <a href=\"https:\/\/cookiedatabase.org\/cookie\/facebook\/c_user\/\">c_user<\/a> cookie and additional browser information such as operating system, version, and architecture. The stealer will also attempt to steal <a href=\"https:\/\/developers.facebook.com\/docs\/facebook-login\/guides\/access-tokens\/\">Facebook\u2019s access token<\/a>. If this is unsuccessful, it will exfiltrate Facebook cookies, browser names, executable paths, saved logins, IP addresses, and country codes. The targeted profile is then skipped, with the stealer proceeding to another profile.<\/p>\n<p>It then exfiltrates the following in order via GET requests to C&amp;C server:<\/p>\n<ol>\n<li>Facebook identity numbers, full usernames, email addresses, birthdays, access tokens, Facebook cookies, browser names, executable paths, saved logins, IP addresses, and country codes<\/li>\n<li>Gmail credentials and cookies<\/li>\n<li>Outlook credentials and cookies<\/li>\n<li>Additional Facebook information, such as email addresses and location information<\/li>\n<li>Business account information, such as usernames and identifiers. &nbsp;For each business account, it will steal the name, ad account limit, creation time, business ID, permitted roles, verification status, and number of business users associated with the business.<\/li>\n<li>Page information, including usernames and <a href=\"https:\/\/developers.facebook.com\/docs\/pages\/access-tokens\/\">page access token<\/a>s<\/li>\n<li>Ad account information, which includes usernames. For each ad accounts, the stealer extracts ad account IDs, <a href=\"https:\/\/developers.facebook.com\/docs\/marketing-api\/reference\/ad-account\/agencies\/\">ad account agencies<\/a>, spending limits, extended credits (invoice and how often it is billed), currency ratio to USD, time zones, next billing dates, the creation time, <a href=\"https:\/\/www.facebook.com\/business\/help\/776240779095515\">billing threshold<\/a>s, balances, payment cards, payment card expiration dates, payment card verification status, ad account insights, and account status<\/li>\n<\/ol>\n<p>Most likely for backup purposes, previously extracted information is also saved into a text file and sent to the Telegram bot.<\/p>\n<h2><span class=\"body-subhead-title\">Exfiltration to the C&amp;C server<\/span><\/h2>\n<p>The exfiltration of stolen data to the C&amp;C server is done via GET request to a randomly generated path (<i>&lt;server&gt;\/image\/&lt;random 26-character ID&gt;.png<\/i>). The exfiltrated content is passed inside the <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Authorization\">authorization header<\/a>.<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/i\/analyzing-a-facebook-profile-stealer-written-in-node-js.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We analyze an information stealer written in Node.js, packaged into an executable, exfiltrated stolen data via both Telegram bot API and a C&#038;C server, and employed GraphQL as a channel for C&#038;C communication. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":53539,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513,9577,9509],"class_list":["post-53538","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-phishing","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Analyzing a Facebook Profile Stealer Written in Node.js 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analyzing a Facebook Profile Stealer Written in Node.js 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-05T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/fb-stealer-cov:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-a-facebook-profile-stealer-written-in-node-js\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-a-facebook-profile-stealer-written-in-node-js\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Analyzing a Facebook Profile Stealer Written in Node.js\",\"datePublished\":\"2023-09-05T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-a-facebook-profile-stealer-written-in-node-js\\\/\"},\"wordCount\":645,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-a-facebook-profile-stealer-written-in-node-js\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/analyzing-a-facebook-profile-stealer-written-in-node-js.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Phishing\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-a-facebook-profile-stealer-written-in-node-js\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-a-facebook-profile-stealer-written-in-node-js\\\/\",\"name\":\"Analyzing a Facebook Profile Stealer Written in Node.js 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-a-facebook-profile-stealer-written-in-node-js\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-a-facebook-profile-stealer-written-in-node-js\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/analyzing-a-facebook-profile-stealer-written-in-node-js.png\",\"datePublished\":\"2023-09-05T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-a-facebook-profile-stealer-written-in-node-js\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-a-facebook-profile-stealer-written-in-node-js\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-a-facebook-profile-stealer-written-in-node-js\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/analyzing-a-facebook-profile-stealer-written-in-node-js.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/analyzing-a-facebook-profile-stealer-written-in-node-js.png\",\"width\":976,\"height\":533},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-a-facebook-profile-stealer-written-in-node-js\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Analyzing a Facebook Profile Stealer Written in Node.js\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analyzing a Facebook Profile Stealer Written in Node.js 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/","og_locale":"en_US","og_type":"article","og_title":"Analyzing a Facebook Profile Stealer Written in Node.js 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-09-05T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/fb-stealer-cov:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Analyzing a Facebook Profile Stealer Written in Node.js","datePublished":"2023-09-05T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/"},"wordCount":645,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/09\/analyzing-a-facebook-profile-stealer-written-in-node-js.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Phishing","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/","url":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/","name":"Analyzing a Facebook Profile Stealer Written in Node.js 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/09\/analyzing-a-facebook-profile-stealer-written-in-node-js.png","datePublished":"2023-09-05T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/09\/analyzing-a-facebook-profile-stealer-written-in-node-js.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/09\/analyzing-a-facebook-profile-stealer-written-in-node-js.png","width":976,"height":533},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-a-facebook-profile-stealer-written-in-node-js\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Analyzing a Facebook Profile Stealer Written in Node.js"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/53538","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=53538"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/53538\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/53539"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=53538"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=53538"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=53538"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}