.
Image: File
Since late August 2025, cybersecurity experts at Kaspersky’s Global Research and Analysis Team (GReAT) have uncovered a troubling new wave of credential theft sweeping across parts of Africa.
Dubbed StealC v2, this insidious infostealer is being deployed through Facebook phishing messages, triggering alarm and action from individual and enterprise users across the continent.
Attackers send Facebook messages masquerading as official notifications, warning users that their account has been “blocked due to suspicious activity.”
On clicking the embedded link, victims are taken to realistic-looking, but fake Facebook support pages, where an “Appeal” button triggers a malicious script that silently installs StealC v2.
Once active, the malware harvests passwords, cookies, screenshots, and even cryptocurrency wallet data.
This campaign is not isolated: More than 400 incidents have already been documented, with confirmed cases across Kenya, Angola, Ethiopia, Niger, Uganda, Zambia, and beyond.
While its predecessor surfaced in dark web forums in 2023, StealC v2, which emerged in March 2025, represents a marked leap in capability and sophistication.
Encrypted, JSON-based C2 communications using RC4 for stealthy, obfuscated data exchange.
Advanced payload delivery options, enabling silent installation of MSI packages and execution of PowerShell scripts in addition to traditional EXE files.
A refined control panel, offering threat actors the ability to tailor loader behaviour based on geolocation, hardware IDs, installed software, and more.
Expanded data harvesting, including multi-monitor screenshots and unified file grabbing across wallets, messaging apps, email clients, VPNs, browsers, and even server-side credential brute-forcing.
This latest campaign underscores a broader trend: infostealers are proliferating rapidly in Africa and beyond.
A Kaspersky report highlights that 21 million systems may have been infected with infostealers in 2024, nearly 1 in every 14, resulting in a bank card leak. StealC itself has grown significantly among other malware families.
The threat is especially acute in Africa.
Kaspersky’s data from GITEX Africa revealed a 14% uptick in spyware attacks on businesses and a 26% spike in password-stealer detections, with Kenya, South Africa, Uganda, and others among the most targeted nations.
Marc Rivero, lead researcher at Kaspersky GReAT, warns that attackers deliberately exploit fear and urgency to push users into making hasty, costly mistakes. He urges users to stop and verify before clicking any link.
Kaspersky’s recommendations:
Inspect links carefully, check for typos, wrong domains, or anything that looks slightly off. Cybercriminals often rely on well-disguised fakes.
Beware of urgency or threats. Phishing campaigns thrive on psychological pressure.
Verify unsolicited messages, even if they appear to come from legitimate entities. Crucially, never share 2FA codes.
Adopt broad cybersecurity hygiene such as strong, updated software, two-factor authentication, secure password practices, and backing up data intelligently.