A dangerous information-stealing malware called Socelars is actively targeting Windows systems to collect sensitive authentication data, with particular focus on Facebook Ads Manager accounts and session cookies.
Unlike traditional malware that causes immediate system damage, Socelars operates silently in the background, turning infected machines into gateways for account takeover and financial fraud.
Socelars is sophisticated spyware designed to harvest authenticated session data rather than disrupt computer systems.
The malware specifically targets browser-stored session cookies from platforms like Facebook and Amazon, allowing attackers to bypass password protections and, in some cases, even multi-factor authentication.
How Socelars Attacks Windows Systems
This makes it particularly threatening to businesses relying on advertising platforms and e-commerce accounts, where stolen sessions can be monetized quickly before detection.
According to ANY.RUN analysis the malware typically masquerades as legitimate PDF reader software and is distributed via fake websites designed to appear trustworthy.
Once installed, Socelars quietly collects computer information, steals active browser sessions, and prepares stolen data for exfiltration to attacker-controlled servers.
Socelars executes its attack in three distinct stages. First, it performs system reconnaissance by collecting computer names and Machine GUIDs from the registry, and by checking installed languages and system certificates.
The malware then bypasses User Account Control via COM auto-elevation, gaining elevated privileges without triggering security warnings.
In the second stage, Socelars harvests authentication data from web browsers. It accesses browser storage and extracts active session cookies that remain valid even after passwords are changed.
The malware primarily targets Google Chrome and Mozilla Firefox by accessing cookies stored in SQLite databases.
This stolen session data provides attackers with ready-to-use access to business accounts without requiring traditional credential theft. Finally, Socelars exfiltrates collected data to remote servers controlled by cybercriminals.
Attackers can then launch fraudulent advertising campaigns, drain marketing budgets, or resell compromised business accounts on underground markets.
Industries at Highest Risk
Organizations heavily reliant on digital advertising and e-commerce face the greatest exposure.
Marketing and advertising-driven companies that use Facebook Ads Manager are primary targets, as compromised accounts provide direct access to their advertising budgets.
Digital agencies managing multiple client ad accounts are particularly vulnerable, since a single infected workstation can compromise numerous customer accounts simultaneously.
Small and medium enterprises also face elevated risk due to lighter security controls and less comprehensive employee training programs.
Organizations can defend against Socelars by using multiple security layers, including ANY.RUN malware analysis to safely analyze suspicious files and detect malicious behavior early.
Deploy hardware-based authentication tokens like YubiKey or FIDO keys that prevent session cookie theft through proxy methods.
Implement conditional access policies allowing logins only from trusted, enrolled devices. Configure browsers to regularly delete persistent cookies and minimize cookie validity periods.
Train employees to identify phishing attempts and avoid downloading software from untrusted sources. Keep all web browsers up to date and use threat intelligence feeds to identify and block known Socelar infrastructure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
