Security researchers are tracking Socelars, an information-stealing Trojan aimed at Windows users that focuses on quietly harvesting browser-based access rather than damaging files.
The malware is designed to collect authenticated session data and other system identifiers that can let attackers reuse a victim’s existing “logged-in” state to reach online services.
Public reporting has linked Socelars to theft connected to Facebook Ads Manager, where stolen sessions can be turned into direct financial abuse through ad account takeover.
According to Anyrun, researchers have also described Socelars stealing session cookies from Facebook and Amazon, which can be enough to hijack accounts without needing the password itself.
In earlier campaigns, Socelars was distributed through a fake PDF reader/editor lure (often described as “PDFreader”), a common social-engineering trick that makes malware look like a normal workplace tool.
Once executed, the fake installer can create a “pdfreader2019” folder and then proceed with data theft in the background, leaving few obvious signs for the user.
To steal access, the Trojan has been reported to pull cookie data from browsers like Chrome and Firefox by reading browser cookie storage (such as the Cookies SQLite database).
That information can then be used to connect to Facebook URLs and extract items tied to advertising operations, including account IDs and access tokens that support further access through platform APIs.
Recent sandbox reporting describes Socelars starting with system checks and reconnaissance, then attempting privilege escalation using a User Account Control bypass via COM auto-elevation (ICMLuaUtil through cmlua.dll).
In the same observed activity, the malware created a mutex named “patatoes” and contacted the iplogger[.]org service, after which samples were seen terminating intentionally (appearing as a crash).
For businesses, the practical risk is that stolen ad-session access can be abused to launch fraudulent campaigns, drain budgets, or resell compromised accounts, while stolen billing and payment details can deepen the financial impact.
Reports on the data sought by Socelars include advertising email addresses, session cookies, access tokens, page/account details, spending limits, and even credit-card or PayPal-linked information, which attackers can monetize quickly.
Defenders can reduce exposure by blocking suspicious “PDF reader” download sources, avoiding untrusted installers, and tightening browser and endpoint controls that detect unusual access to cookie databases.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
