cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Don’t send nudes: Facebook malvertising campaign uses ‘lewd images’ to trick victims

Hijacked Facebook accounts are being used to lure victims into downloading info-stealing malware.

user icon David Hollingworth
Wed, 01 Nov 2023
Don’t send nudes: Facebook malvertising campaign uses ‘lewd images’ to trick victims
expand image

Have you ever been surfing Facebook and had a random ad show up that promises whole photo albums of nude women to download for free?

Well, for one thing, put that phone down and go for a walk. For another, don’t click on anything too good to be true because, in this case, you are not getting free nudes but rather free malware that could steal your credentials and use your account to commit even more fraud.

Researchers at Bitdefender have been monitoring the ongoing campaign and have broken down how the whole thing operates.


Facebook’s owner, Meta, has been tracking the spread of Nodestealer malware since January 2023, tracing it to a Vietnamese threat actor. At the time, the custom-built malware targeted business users by hijacking their cookie sessions.

The newest version of the campaign, however, features an updated version of the Nodestealer malware that can do a lot more than hijack cookies. Version 2.1 can access Gmail and Outlook, steal the balance of a crypto wallet, and even download additional malware.

In this latest campaign, Nodestealer is being deployed to victims via compromised business accounts with a positive ad balance. Those balances are then being spent to create advertisements aimed at a very particular demographic – men aged 45-plus who don’t mind a bit of free porn.

The ads offer access to photo albums with names like Album Girl News Update or Hot Album Update Today and feature an image of said hot girls, some of which appear to be AI-generated. Some even exhort prospective victims to “watch now before it’s deleted”.

Of course, there are no nudes, lewds, pr0n or anything even similar. Instead, the album ads point to GitLab or Bitbucket repositories where a Windows executable will run and deploy the Nodestealer malware onto the victim’s device.

Once infected, the threat actor can take over an account, change its login credentials, and commit more fraud, this time under the victim’s name.

“Whether stealing money or scamming new victims via hijacked accounts, this type of malicious attack allows cyber criminals to stay under the radar by sneaking past Meta’s security defences,” Bitdefender said in a statement.

So let us say this again: don’t trust free porn on Facebook. It will cost you a lot more than you think.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.