NodeStealer 2.0 - The Python Version: Stealing Facebook Business Accounts

Palo Alto Networks Unit 42 researchers have unveiled a new phishing campaign named NodeStealer 2.0, aimed at Facebook business accounts. The campaign entices victims with free business tools, like spreadsheet templates, to completely take over the accounts. This strategy indicates a concerning trend among threat actors, who have been increasingly targeting Facebook business accounts which emerged around July 2022.

In May 2023, Meta released a report on NodeStealer, a new information-stealing malware initially compiled in July 2022. The report highlighted malicious activities involving NodeStealer that were identified in January 2023. In December 2022, a campaign featuring a new version of Nodestealer emerged. This new campaign involved two Python-written variants with enhanced capabilities, including cryptocurrency theft, downloading abilities, and a complete takeover of Facebook business accounts.

NodeStealer 2.0 Phishing Campaign 

The main infection vector was a phishing campaign focusing on advertising materials for businesses, allowing threat actors to steal browser cookies to hijack accounts on the platform, specifically aiming toward business accounts. The threat actor used multiple Facebook pages and users to post information, luring victims to download links from known cloud file storage providers. After clicking on it, a ZIP file was downloaded to the machine containing the malicious info stealer executable. 

“In early 2023, Meta reported it has reached 80.30 million Facebook users in the Philippines, equivalent to 69.0 percent of the total population at the start of the year. This extensive presence potentially exposes the country to considerable risks from NodeStealer, which greatly threatens individuals and organisations. Besides the direct impact on Facebook business accounts, which is mainly financial, the malware also steals credentials from browsers, which can be used for further attacks. We encourage all organisations to review their protection policies and use the indicators of compromise (IoCs) provided in this report to address this threat.” said Vicky Ray, Director at Unit 42 Cyber Consulting & Threat Intelligence, Asia Pacific & Japan at Palo Alto Networks.

Facebook business account owners are encouraged to use strong, complex, hard-to-guess passwords and enable multifactor authentication. Take the time to educate your organisation on phishing tactics, especially modern, targeted approaches that address current events, business needs, and other appealing topics. 

To know more about the other dangerous threats posed by the new version of NodeStealer, visit the blog here. 



About Palo Alto Networks

Palo Alto Networks is the world’s cybersecurity leader. We innovate to outpace cyber threats so that organizations can confidently embrace technology. We provide next-gen cybersecurity to thousands of customers globally across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we’re committed to helping ensure each day is safer than the one before. It’s what makes us the cybersecurity partner of choice.


At Palo Alto Networks, we’re committed to bringing together the very best people in service of our mission, so we’re also proud to be the cybersecurity workplace of choice, recognized among Newsweek’s Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021), and HRC's Best Places for LGBTQ Equality (2022). For more information, visit


Palo Alto Networks, Cortex, Unit 42, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on the services and features currently generally available.