A new Facebook malvertising campaign is targeting users seeking AI image editing tools, tricking them into downloading a fake AI photo editor that installs malware.

The deceptive page mimics legitimate sites, leading victims to download the ITarian endpoint management software, which ultimately installs the Lumma stealer malware.

Lumma stealer is designed to target sensitive information, including user credentials, system details, and browser data.

The campaign has resulted in approximately 16,000 downloads on Windows and 1,200 on macOS, with the macOS version redirecting users to the Apple website.

Once attackers steal credentials, they hijack accounts, change names to relate to AI photo editors, and publish malicious posts promoted through paid ads.

Attackers exploit paid Facebook promotions to attract user engagement, which facilitates malware delivery.

Trend Micro uncovered this campaign, which employs tactics such as phishing, social engineering, and the misuse of legitimate software.

Phishing messages are sent to Facebook page owners, often appearing to come from empty profiles with randomly generated usernames, directing them to fake account protection pages.

Organizations are urged to educate employees on recognizing phishing attacks and verifying the legitimacy of links requesting personal information.

To enhance security, users are advised to enable multi-factor authentication on their social media accounts.

Organizations should implement detection and response mechanisms to mitigate threats and educate employees about social media risks and suspicious messages.