Connect with us

Hi, what are you looking for?


Malware & Threats

260,000 Facebook Users Infected With Trojan Disguised as Flash Update

Hundreds of thousands of users have had their Web browsers hijacked by a piece of malware distributed through Facebook, a researcher reported.

Hundreds of thousands of users have had their Web browsers hijacked by a piece of malware distributed through Facebook, a researcher reported.

Once it infects a computer, the Trojan installs an extension in the victim’s Web browser. The threat tags the victim’s Facebook friends in a post advertising an adult video. When users click on the link, they are presented with a preview of the video, after which they are instructed to install what appears to be a Flash Player plugin. This component is the malware downloader.

Security researcher Mohammad Reza Faghani, who dubbed this distribution method “Magnet,” says the technique can be highly effective because the friends of the tagged users are also likely to see the malicious posts. In order to keep a low profile, the malware only tags up to 20 of the victim’s friends, the expert said.

The first variants of the Trojan, which infected at least 110,000 users, were designed to like posts on a certain Facebook page. The newer variants, detailed by Faghani in an advisory published on his personal website, don’t like any posts and instead subscribe victims to the profile of one Hüseyin Karaman. According to the researcher, the profile already has roughly 260,000 subscribers and the number continues to grow.

The new variant also comes with a feature that checks if victims are logged in to their Twitter accounts. If they are, the malware forces them to follow a couple of Twitter accounts (@SnrtEmrah and @Organiktr). The accounts in question have been reported to Twitter, but they are still active at the time of writing.

The Web browser extension installed on the victims’ machines is designed to receive updates (scripts containing instructions), and prevent users from accessing certain security-related websites that could be utilized to clean up the infection.

Faghani has analyzed some of the affected Facebook profiles and determined that many of the victims are located in India, the northern part of Africa, and the western part of Latin America. Infections have also been spotted in most European countries.

Advertisement. Scroll to continue reading.

Based on the MD5 hash provided by the researcher for the rogue Flash Player update, 36 of the 57 antivirus engines on VirusTotal detect the threat based on its signature.

Bitdefender also published an analysis of this campaign last week, but the number of infections was much smaller at the time. The security firm reported that Turkish cybercriminals appear to be behind the campaign, an assumption backed up by data from Faghani.

“We use a number of automated systems to identify potentially harmful links and stop them from spreading. In this case, we¹re aware of these malware varieties, which are typically hosted as browser extensions and distributed using links on social media sites,” a Facebook spokesperson told SecurityWeek. “We are blocking links to these scams, offering cleanup options, and pursuing additional measures to ensure that people continue to have a safe experience on Facebook.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...