Skip to content

Novel S1deload malware is taking over Facebook and YouTube accounts

  • by
  • 2 min read

A novel malware dubbed S1deload is targeting Facebook and YouTube users by hacking their accounts and using the victim’s PC’s resources to mine cryptocurrency. The malware uses DLL side-loading bypass security software on the target PC and was discovered by Bitdefender researchers. 

The main goal is to take over the victim’s Facebook, and YouTube accounts to rent access and raise view counts and likes for any posts or videos shared on these platforms. The campaign has been active since at least July 2022 and targeted nearly 600 users until December 2022. A majority of the targets are located in Canada, Bangladesh, France, Mexico, Peru, Romania and Turkey.

According to Bitdefender, upon infection, the malware steals user credentials and emulates human behaviour to “artificially boost videos and other content engagement”. Additionally, it also assesses the hacked accounts’ value by identifying any corporate social media admins, distributing malicious links spreading the malware further to the account’s followers and mining the affected PC for the BEAM cryptocurrency. 

Infections start by luring unsuspecting users with adult content on Facebook posts that contain links to ZIP archives. Upon extraction, these archives trigger an infection sequence that eventually deploys the malware. Using this method the operators can create a feedback loop meaning the more PCs they infect, the more they can spam on Facebook generating even more links to spread the infection further. 

The malware can also download additional modules on the compromised system and launches a headless Chrome window that uses an extension to artificially inflate YouTube videos’ view counts. It then captures saved credentials and cookies from the default web browser, checks the Facebook account, if any and finally loads up the BEAM cryptojacker to mine crypto without the user’s knowledge. 

While the threat actors behind the campaign are unknown at the moment, Bitdefender’s analysis reveals that the malware infrastructure is similar to a website called The site offers services to buy YouTube views, likes and subscribers as well as boost Facebook posts for likes, comments, followers and video views.

In the News: iPhone 15 leaks show a larger Dynamic Island and bigger screens

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: