ClickCease Python Snake Info Stealer Spreading Via Facebook Messages

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Python Snake Info Stealer Spreading Via Facebook Messages

Wajahat Raja

March 21, 2024 - TuxCare expert team

As per recent reports, threat actors are increasingly leveraging Facebook messages to distribute the Python Snake Info Stealer malware. Researchers have noticed that threat actors are using three variants of the information stealer. It’s worth mentioning here that two of these installers are regular Python scripts, whereas the third is an executable that is assembled using the PyInstaller. 

In this article, we’ll dive into all the details of the Python Snake Info Stealer attacks, learning how the attack is initiated and what safety measures can be adopted. 

Let’s begin!


Origins of the Python Snake Info Stealer

Details about the
information stealing malware first appeared on the social media platform X, formerly known as Twitter, in August 2023. The details provide valuable information on how the Python Snake info stealer operates and are essential to preventing data breaches and cyber attacks via social media platforms

Python Snake Malware Distribution 

As per recent reports, the
Python Snake info stealer attacks are carried out in multiple stages. To initiate the attacks, threat actors send target users “.RAR” or “.ZIP” files using Facebook messages. The infection sequence begins once the user downloads and opens these files. 

It’s worth mentioning here that the files mentioned above contain two downloaders: a batch script and a cmd script. The cmd script is used for downloading the Python Snake info stealer from a threat actor controlled GitLab repository onto the user’s system. Researchers at Cybereason, who first warned of the attacks, have stated that: 

“The archived file contains a BAT script which is the first downloader initiating the infection chain. The BAT script attempts to download a ZIP file via the cURL command, placing the downloaded file under the directory C:\Users\Public as The BAT script proceeds to spawn another PowerShell command Expand-Archive to extract the CMD script vn.cmd from the ZIP file and proceeds with its infection.”

Malicious Python Scripts and The Information Stealing Malware 

Reports have mentioned that the
“vn.cmd” script is the primary script responsible for downloading the Python Snake info stealer. The script launches the Google Chrome browser, opens up the homepage of, and then proceeds to download the remaining three files from GitLab as follows: 

  1. WindowsSecure.bat – used for maintaining persistence on the targeted device by launching and executing
  2. – contains Python packages and aids in launching, allowing threat actors to avoid the need to have such packages installed on the user’s device.
  3. – the Python script responsible for stealing credentials from different browsers.

The script essentially aims to target seven web browsers, which include: 

  • Brave
  • Coc Coc Browser
  • Chromium
  • Google Chrome Browser
  • Microsoft Edge
  • Mozilla Firefox
  • Opera Web Browser

It uses the “main []” function to dump relevant information from the browser onto the disk. In addition to collecting cookies and credentials, information stealing malware also dumps cookie information that’s specific to Facebook, titled “cookiefb.txt.” This allows the threat actors to hack the victim’s Facebook account and expand their attack surface.


Python Snake Attack Severity 

As far as the severity of the attacks is concerned, it’s worth mentioning here that all three variants do not need
Python packages to be installed on the victims’ devices for them to execute their malicious intent. 

However, where variant one targets seven web browsers, variants two and three are known to target the following: 

  • Coc Coc Browser
  • Google Chrome Browser
  • Microsoft Edge
  • Facebook Cookies

As of now, researchers have attributed the campaign to those threat actors of Vietnamese origin. Their basis for such claims lies within comments in the scripts, naming conversations, and the presence of the Coc Coc Browser.

These attacks serve as a stark reminder pertaining to the dangers of the ever-evolving cyber threat landscape and dictate that proactive measures for preventing data breaches must be adopted to safeguard organizational and personal networks. 


Python Snake info stealer malware is being distributed through Facebook messages containing files that, if downloaded, execute malicious Python scripts. The malware targets different web browsers and aims to steal credentials. Its severity serves as a stark reminder of why implementing robust cybersecurity measures is paramount in the digital age! 

The sources for this piece include articles in The Hacker News and TechRadar Pro.


Python Snake Info Stealer Spreading Via Facebook Messages
Article Name
Python Snake Info Stealer Spreading Via Facebook Messages
Facebook messages are being used to spread the Python Snake info stealer. Learn more about the attacks and protect your systems.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter