Socelars Malware Attacking Windows systems to Collect sensitive data

Security researchers are tracking Socelars, a sneaky information-stealing Trojan aimed at Windows users.

Unlike ransomware that locks files, Socelars quietly grabs browser data to hijack online accounts. It focuses on authenticated session info, letting attackers reuse a victim’s “logged-in” state without needing passwords.

Public reports tie Socelars to scams hitting Facebook Ads Manager. Stolen sessions allow crooks to take over ad accounts, launch fake campaigns, drain budgets, or resell access for cash.

According to Anyrun’s malware trends (any.run/malware-trends/socelars), it also steals session cookies from Facebook and Amazon enough to control accounts instantly.

Attackers spread Socelars via fake PDF reader lures, like “PDFreader” installers. Victims think they’re downloading a work tool, but the file creates a “pdfreader2019” folder and starts stealing data in the background. Few signs alert users, making it hard to spot.

Once running, Socelars targets browsers like Chrome and Firefox. It reads cookie storage files, such as the Cookies SQLite database, to pull session cookies, access tokens, and identifiers.

It even connects to Facebook URLs to extract ad-related details like account IDs, spending limits, emails, page info, and linked payment methods, credit cards,s or PayPal.

Recent Anyrun sandbox analysis shows Socelars’ full attack chain. It begins with system reconnaissance, checking the environment.

Then it tries privilege escalation via User Account Control (UAC) bypass, using COM auto-elevation through cmlua.dll and ICMLuaUtil.

The malware creates a mutex called “patatoes” to avoid running twice. It contacts iplogger[.]org for tracking, then crashes on purpose to hide its tracks, looking like a normal app failure.

For businesses, the dangers are real. Compromised ad accounts fuel fraud, while stolen billing info leads to direct theft. Attackers monetize fast by abusing sessions through platform APIs.

How to Fight Back

Defenders can block this threat with smart steps:

• Spot fake lures: Avoid untrusted “PDF reader” downloads. Stick to official sources like Adobe or Foxit.
• Lock down browsers: Use endpoint tools to monitor cookie database access. Enable strict cookie policies.
• Boost privileges: Disable unnecessary UAC auto-elevations and scan for mutexes like “patatoes.”
• Run sandboxes: Test suspicious files in tools like Anyrun before opening.
• Patch and monitor: Keep Windows and browsers updated. Watch for iplogger[.]org traffic.

Researchers link Socials to ongoing campaigns, urging quick action. As ad platforms grow, thieves like this evolve. Stay vigilant; simple habits block big losses.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Socelars Malware Attacking Windows systems to Collect sensitive data appeared first on Cyber Security News.