Cybercriminals Exploit Adult Sites to Spread Clickjack Trojan via Facebook Likes
Discover how cybercriminals are using adult sites and a clickjack Trojan to trick users into liking Facebook posts, increasing the visibility of malicious content.
TL;DR
- Cybercriminals are using adult sites to trick users into downloading a Trojan that silently likes Facebook posts, boosting their visibility.
- The Trojan, hidden in SVG image files, exploits the trust users have in image files to deliver malicious JavaScript.
- To protect against such threats, users are advised to use real-time malware protection and consider VPNs for secure browsing.
Introduction
As age verification for accessing adult websites becomes more widespread globally, malicious adult sites have launched a timely malware campaign to promote their links. This article explores how these sites trick users into liking Facebook posts using a clickjack Trojan, the mechanics of the attack, and how users can protect themselves.
The Rise of Malicious Adult Sites
With the increasing use of age verification to access adult content, shady websites have turned to malware-fueled campaigns to drive traffic. During routine monitoring on Facebook, security researchers noticed unusual activity in posts linking to adult sites. Many of these sites were hosted on blogspot[.]com and interlinked with similar sites.
Example of a Malicious Site
These sites often promise explicit pictures of celebrities, which are likely generated by AI. While this is not uncommon, what stood out was the high number of likes on some Facebook posts promoting these sites. Typically, users do not like such content publicly due to visibility concerns.
A high number of likes increases the visibility of these posts, effectively providing free advertising for the malicious sites. This led researchers to investigate how these posts were garnering so many likes.
The Clickjack Trojan Mechanism
Downloading the Trojan
When users click through links on these adult sites, some are prompted to download an SVG image file. SVG files are generally trusted as image files, but they can contain XML, HTML, and JavaScript code, making them a vector for malware.
The downloaded SVG file is heavily obfuscated, but it clearly contains malicious code. It downloads and executes another malicious JavaScript file from a domain blocked by Malwarebytes.
![Malwarebytes blocks flan.hammerstein[.]de](https://www.malwarebytes.com/wp-content/uploads/sites/2/2025/08/blocked_domain.png)
Obfuscation Techniques
The malware uses a hybrid form of JSFuck obfuscation, which encodes JavaScript using only six characters: [ ] ( ) ! +. This method, combined with String.fromCharCode elements, makes it difficult to unravel the malicious intent.
Execution of the Trojan
When the SVG file is opened, it launches an empty Edge tab titled “Process Monitor.” This happens because SVG files on Windows are opened by Edge, regardless of the user’s default browser.
The Trojan, detected as Trojan.JS.Likejack, silently clicks the ‘Like’ button on Facebook posts without the user’s knowledge or consent. This requires the user to be logged into Facebook, which many users are for easy access.
Extent of the Campaign
Upon discovering the mechanism, researchers found a vast number of blogspot[.]com pages involved in this campaign.
Conclusion
As governments impose age verification on adult sites, users are driven towards sites that disregard regulations, even deploying Trojans to attract visitors. To protect against such threats, users should consider using real-time malware protection and VPNs for secure browsing.
For comprehensive protection, consider using Malwarebytes to block domains associated with this campaign.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
For more details, visit the full article: source