Trustwave SpiderLabs uncovered Ov3r_Stealer, a novel malware spread through Facebook job ads and fake accounts, which lure victims to malicious Discord URLs delivering weaponized files. Using techniques like CPL files, HTML and SVG smuggling, and LNK masquerading, the malware establishes persistence via scheduled tasks and DLL sideloading. Ov3r_Stealer exfiltrates geolocation, credentials, cookies, crypto wallets, browser extensions, and documents every 90 minutes to a monitored Telegram channel. Linked to aliases like Liu Kong and John Macollan, the campaign overlaps with Phemedrone stealer code, showing ongoing development and adaptability. Trustwave urges awareness training, patching, audits, and proactive threat hunting.

Join for free to read