VERY IMPORTANT

The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook Ads Manager accounts, stealing critical financial and business information alongside credit card details and browser data. The infection begins with a spear-phishing email containing a malicious link, which downloads and installs the malware disguised as a legitimate application. Sophisticated techniques like DLL sideloading and encoded PowerShell commands are used to bypass security and execute the final payload, exfiltrating data via Telegram.