
Since late August 2025, cybercriminals have been running a malicious campaign that spreads the StealC v2 infostealer through Facebook messages, according to Kaspersky’s Global Research and Analysis Team (GReAT).
More than 400 incidents have been confirmed across multiple African countries — including Kenya, Angola, Ethiopia, Niger, Uganda, and Zambia.
Victims are tricked into clicking on a link disguised as a notification claiming their Facebook account has been blocked.
Once clicked, the link redirects users to a fake support page urging them to appeal the alleged account suspension. The so-called “Appeal” button then delivers a malicious script that installs StealC v2 on the victim’s device.
The malware, sold under a Malware-as-a-Service model, is capable of stealing passwords, cookies, cryptocurrency wallet data, and even taking screenshots.
“Cybercriminals often exploit users’ fear of losing account access and a perceived sense of urgency. This pressure can lead individuals to act without caution, increasing the risk of infection by malware such as StealC v2,” said Marc Rivero, lead security researcher at Kaspersky’s GReAT.
StealC was first seen on dark web forums in 2023 and quickly gained traction among cybercriminals for its ease of use and powerful capabilities.
The 2025 variant, StealC v2, introduces enhanced features that pose a greater risk to both individuals and businesses.
Kaspersky urges users to remain cautious when interacting with links and to carefully verify unsolicited messages, even if they appear to come from trusted platforms. The company also advises against sharing two-factor authentication codes and recommends using advanced protection tools like Kaspersky Next for corporate environments or Kaspersky Premium for individuals.