07 February 2024

Unveiling Ov3r_Stealer: The Deceptive Cyber Threat Hidden Within Fake Job Ads

The digital world is a dynamic ecosystem, constantly evolving with new technologies and innovations. However, this evolution also brings forth new challenges, particularly in the realm of cybersecurity. In recent times, a concerning trend has emerged, where threat actors leverage deceptive tactics, such as fake job advertisements on social media platforms like Facebook, to distribute malware and steal sensitive information. One such malware variant that has garnered attention is Ov3r_Stealer. In this comprehensive blog post, we delve deep into the workings of Ov3r_Stealer, dissecting its attack chain, exploring its connections with similar malware strains, and discussing the implications for cybersecurity.


The Rise of Ov3r_Stealer:

Ov3r_Stealer represents a sophisticated breed of malware designed to infiltrate Windows systems and exfiltrate sensitive data, including credentials and cryptocurrency wallets. The modus operandi of this malware involves exploiting unsuspecting individuals through fake job advertisements disseminated on social media platforms. By masquerading as legitimate employment opportunities, threat actors lure victims into clicking on malicious links or downloading infected files, thus initiating the infiltration process.


Understanding the Attack Chain:

The attack orchestrated by Ov3r_Stealer follows a meticulous sequence of steps, each designed to evade detection and maximize the success rate. It typically commences with the distribution of a weaponized PDF file, strategically embedded within fake Facebook accounts impersonating reputable individuals or organizations. Upon interaction with the PDF file, users are prompted to click on a seemingly innocuous link, which leads to the download of an internet shortcut (.URL) file. This file, disguised as a legitimate document hosted on Discord's content delivery network (CDN), acts as the gateway for further infiltration. Subsequently, a control panel item (.CPL) file is executed, facilitating the deployment of a PowerShell loader responsible for launching Ov3r_Stealer onto the victim's system.


Connections with Phemedrone Stealer:

An intriguing aspect of Ov3r_Stealer lies in its striking similarities with another malware variant known as Phemedrone Stealer. Both malware strains share commonalities in terms of the utilization of the same GitHub repository and potential code-level overlaps. This observation raises questions regarding the potential evolution or repurposing of existing malware by threat actors to suit their malicious objectives. The parallels between Ov3r_Stealer and Phemedrone Stealer underscore the dynamic nature of cyber threats and the adaptability of cybercriminals in their pursuit of illicit gains.


The Tactics of Threat Actors:

Behind the scenes of Ov3r_Stealer lies a sophisticated network of threat actors orchestrating malicious campaigns with precision and cunning. These actors employ various tactics to propagate their malware, including the strategic dissemination of fake job advertisements on social media platforms. By leveraging the credibility of reputable individuals or organizations, such as Amazon CEO Andy Jassy, threat actors enhance the legitimacy of their schemes, thereby increasing the likelihood of victim engagement. Furthermore, the active promotion of Ov3r_Stealer on underground forums and Telegram channels serves to bolster the reputation of the threat actor within the cybercriminal community, establishing them as a formidable player in the realm of malware distribution.


Implications for Cybersecurity:

The emergence of Ov3r_Stealer and its ilk underscores the critical importance of robust cybersecurity measures and proactive threat intelligence. Organizations and individuals must remain vigilant against social engineering tactics and implement comprehensive security protocols to mitigate the risk of falling victim to such malicious campaigns. Moreover, collaboration and information sharing within the cybersecurity community are paramount in identifying and mitigating emerging threats effectively. By fostering a culture of cybersecurity awareness and resilience, we can collectively safeguard against the ever-evolving landscape of cyber threats and protect our digital assets from exploitation.

Examples and Evidences:

Example 1: Fake Job Advertisements on Social Media Platforms

  • Example: In December 2023, cybersecurity researchers identified multiple instances of fake job advertisements circulating on Facebook, impersonating well-known companies like Amazon and Google.
  • Evidence: Trustwave SpiderLabs reported encountering fake job ads for digital advertising positions on Facebook, purportedly posted by an account impersonating Amazon CEO Andy Jassy. These ads served as the initial lure to entice unsuspecting users into clicking on malicious links or downloading infected files.

Example 2: Weaponized PDF Files and Malicious Links

  • Example: Users received unsolicited messages containing weaponized PDF files, urging them to click on embedded links to access job-related documents or applications.
  • Evidence: Security analysts analyzed the contents of the weaponized PDF files distributed through fake Facebook accounts and identified embedded links leading to internet shortcut (.URL) files hosted on Discord's content delivery network (CDN). These URLs were disguised as legitimate documents, deceiving users into initiating the download process.

Example 3: Execution of Malicious Control Panel Items

  • Example: Upon clicking on the malicious URL, users inadvertently executed control panel items (.CPL files) disguised as legitimate documents, thereby initiating the deployment of the Ov3r_Stealer malware onto their systems.
  • Evidence: Analysis of the attack chain revealed that the execution of the control panel items facilitated the retrieval and execution of a PowerShell loader responsible for launching Ov3r_Stealer. This intricate sequence of events demonstrated the deliberate attempt by threat actors to obfuscate their malicious activities and evade detection.

Example 4: Connections with Phemedrone Stealer

  • Example: Researchers observed significant similarities between Ov3r_Stealer and another malware variant known as Phemedrone Stealer, suggesting a potential relationship or evolution of existing threats.
  • Evidence: Both Ov3r_Stealer and Phemedrone Stealer shared commonalities in terms of the GitHub repositories used, as well as potential code-level overlaps. This evidence indicated that Ov3r_Stealer may have been repurposed or evolved from Phemedrone Stealer, highlighting the dynamic nature of cyber threats and the adaptability of threat actors.

Example 5: Active Promotion on Underground Forums

  • Example: Threat actors actively promoted Ov3r_Stealer on underground forums and Telegram channels, boasting about its effectiveness and discussing its capabilities with other cybercriminals.
  • Evidence: Monitoring of underground forums and Telegram channels revealed discussions among threat actors regarding the distribution and promotion of Ov3r_Stealer. Some threat actors expressed satisfaction with the malware's performance, while others discussed strategies for enhancing its evasion techniques and potential future updates.



In the face of the escalating threat landscape, the unveiling of Ov3r_Stealer and its propagation through deceptive job advertisements serves as a stark reminder of the ever-present dangers lurking in the digital realm. As digiALERT, it is imperative that we remain vigilant and proactive in our efforts to combat such insidious cyber threats.

The emergence of Ov3r_Stealer underscores the need for heightened cybersecurity awareness and robust defense mechanisms. By dissecting the attack chain and understanding the tactics employed by threat actors, we can better equip ourselves to detect and mitigate the risks posed by this malware variant.

As evidenced by the use of fake job ads, weaponized PDF files, and clandestine promotion channels, cybercriminals continue to evolve their tactics to exploit vulnerabilities and infiltrate digital ecosystems. It is incumbent upon us to stay abreast of these developments and adapt our security protocols accordingly.

Moreover, the parallels between Ov3r_Stealer and similar malware strains highlight the interconnected nature of cyber threats. By fostering collaboration within the cybersecurity community and sharing threat intelligence, we can enhance our collective resilience against emerging threats.

As we navigate the complex landscape of cyber warfare, digiALERT remains committed to safeguarding our clients' digital assets and protecting them from harm. Through proactive threat monitoring, robust defense mechanisms, and continuous education, we stand poised to confront the challenges posed by Ov3r_Stealer and other malicious entities.

Together, let us remain vigilant, agile, and united in our efforts to defend against the deceptive cyber threats hidden within fake job ads and beyond. With a steadfast commitment to cybersecurity excellence, we can mitigate risks, safeguard our digital infrastructure, and uphold the integrity of the digital ecosystem.

Read 155 times


digiALERT is a rapidly growing new-age premium cyber security services firm. We are also the trusted cyber security partner for more than 500+ enterprises across the globe. We are headquartered in India, with offices in Santa Clara, Sacremento , Colombo , Kathmandu, etc. We firmly believe as a company, you focus on your core area, while we focus on our core area which is to take care of your cyber security needs.