Designed to appeal to the widest range of potential victims, the malware ads are also being updated continuously to evade tracking

The campaign possesses the following characteristics:

  • Compared to previous malvertising campaigns, SYS01 is now delivered through an ElectronJs cross-platform browser application. To maximize reach, threat actors have begun impersonating a wide range of well-known software tools, increasing the likelihood of targeting a broader user base.
  • The malvertising campaign leverages nearly a hundred malicious domains, utilized not only for distributing the malware but also for live command and control (C2) operations, allowing threat actors to manage the attack in real time.
  • Trusted products and brands are featured in the malvertisements to attract more victims. This includes video editing software such as CapCut; Virtual Private Network tools, and video streaming services such as Netflix, among many other types of software.
  • The malicious ads typically point to a MediaFire link or refer to one that allows the direct download of malicious zip or self-extracting archives that end up dropping and executing encrypted malicious code behind a decoy app that partially mimics what the victim is expecting.
  • Each compromised account can be repurposed to promote additional malicious ads, amplifying the reach of the campaign without the hackers needing to create new Facebook accounts themselves. This is a cost-effective and time-efficient way to consistently drive traffic to malicious downloads.
  • The scope of SYS01 is global, with potential victims in the millions, spanning regions such as the EU, North America, Australia, and Asia — particularly males aged 45 and above. There is limited transparency on how these malicious ads are affecting users outside the EU, especially in the US.
  • SYS01’s masterminds are continuously evolving their strategies, adapting malicious payloads almost in real time to avoid detection. Once antivirus tools have detected and blocked a version of the malware dropper, hackers are already enhancing obfuscation methods and re-launching new ads with updated versions.