Socelars Trojan Targets Windows Users with Stealthy Session Hijacking
Security researchers are monitoring Socelars, a Windows-focused information-stealing Trojan designed to harvest browser-based session data without damaging files. The malware prioritizes authenticated access, allowing attackers to reuse a victim’s logged-in state to infiltrate online services particularly Facebook Ads Manager where stolen sessions can be exploited for financial fraud via ad account takeovers.
First observed in campaigns using a fake PDF reader/editor (PDFreader) as a social engineering lure, Socelars deploys a deceptive installer that creates a pdfreader2019 folder before silently extracting data in the background. The Trojan targets browser cookies from Chrome and Firefox by accessing SQLite databases, enabling attackers to hijack accounts without passwords. Stolen data includes session cookies, access tokens, account IDs, and advertising-related details such as spending limits and payment information from platforms like Facebook and Amazon.
Recent sandbox analysis reveals Socelars’ multi-stage attack flow: initial system reconnaissance, privilege escalation via a User Account Control (UAC) bypass using COM auto-elevation (ICMLuaUtil through cmlua.dll), and the creation of a mutex named patatoes. The malware then contacts iplogger[.]org before intentionally crashing to avoid detection. This tactic leaves minimal traces, complicating user awareness of the compromise.
For businesses, the primary threat lies in the abuse of stolen ad-session access. Attackers can launch fraudulent ad campaigns, drain budgets, or resell compromised accounts, amplifying financial damage through stolen billing and payment details. The malware’s focus on advertising infrastructure including email addresses, access tokens, and linked credit card or PayPal information highlights its monetization-driven design.
Source: https://gbhackers.com/socelars-malware-targets-windows-systems/
PayPal cybersecurity rating report: https://www.rankiteo.com/company/paypal
Facebook for Business cybersecurity rating report: https://www.rankiteo.com/company/facebookforbusiness
"id": "PAYFAC1770731905",
"linkid": "paypal, facebookforbusiness",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Advertising, E-commerce, Digital '
'Marketing',
'type': 'Businesses using Facebook Ads Manager, '
'Amazon, and other advertising platforms'}],
'attack_vector': 'Malicious installer (fake PDF reader/editor)',
'data_breach': {'data_exfiltration': 'Yes (contact with iplogger[.]org)',
'personally_identifiable_information': 'Yes (email addresses, '
'payment information)',
'sensitivity_of_data': 'High (PII, financial data, '
'authentication tokens)',
'type_of_data_compromised': ['Session cookies',
'Access tokens',
'Account IDs',
'Advertising-related details '
'(spending limits, payment '
'information)',
'Email addresses']},
'description': 'Security researchers are monitoring Socelars, a '
'Windows-focused information-stealing Trojan designed to '
'harvest browser-based session data without damaging files. '
'The malware prioritizes authenticated access, allowing '
'attackers to reuse a victim’s logged-in state to infiltrate '
'online services, particularly Facebook Ads Manager, where '
'stolen sessions can be exploited for financial fraud via ad '
'account takeovers.',
'impact': {'data_compromised': 'Session cookies, access tokens, account IDs, '
'advertising-related details (spending limits, '
'payment information)',
'financial_loss': 'Fraudulent ad campaigns, drained budgets, '
'stolen billing and payment details',
'identity_theft_risk': 'High (stolen session data, PII, payment '
'information)',
'operational_impact': 'Ad account takeovers, unauthorized ad '
'campaigns',
'payment_information_risk': 'High (credit card, PayPal '
'information)',
'revenue_loss': 'Potential revenue loss from fraudulent ad '
'spending',
'systems_affected': 'Windows systems with Chrome or Firefox '
'browsers'},
'initial_access_broker': {'entry_point': 'Fake PDF reader/editor installer '
'(PDFreader)',
'high_value_targets': 'Facebook Ads Manager, '
'Amazon, advertising '
'platforms'},
'investigation_status': 'Ongoing monitoring',
'motivation': 'Financial fraud, monetization through stolen ad-session access',
'post_incident_analysis': {'root_causes': 'Social engineering (fake '
'installer), UAC bypass, stealthy '
'data exfiltration'},
'references': [{'source': 'Security researchers (sandbox analysis)'}],
'title': 'Socelars Trojan Targets Windows Users with Stealthy Session '
'Hijacking',
'type': 'Trojan',
'vulnerability_exploited': 'UAC bypass via COM auto-elevation (ICMLuaUtil '
'through cmlua.dll)'}