Compromised Facebook business accounts are being used to run bogus ads that employ “revealing photos of young women” as lures to trick victims into downloading an updated version of a malware called NodeStealer.

“Clicking on ads immediately downloads an archive containing a malicious .exe ‘Photo Album’ file which also drops a second executable written in .NET – this payload is in charge of stealing browser cookies and passwords,” Bitdefender said in a report published this week.

NodeStealer was first disclosed by Meta in May 2023 as a JavaScript malware designed to facilitate the takeover of Facebook accounts. Since then, the threat actors behind the operation have leveraged a Python-based variant in their attacks.