Trojan:Win32/Socelars is a deceptive trojan family frequently distributed via aggressive social engineering campaigns on major social networks (like Facebook and Twitter) to harvest credentials and distribute secondary payloads.
Understanding Socelars
To the end-user, Socelars is often the result of clicking a sensationalized news article or a 'shocking video' link posted by a compromised friend's account. For security analysts, Socelars represents a highly effective, low-technical-barrier threat. It relies entirely on manipulating human curiosity rather than exploiting software vulnerabilities, bypassing many perimeter defenses by tricking the user into willingly executing the malware.
Execution and Evasion Strategies
The infection chain begins on social media. The user clicks a malicious link and is redirected to a fake landing page (e.g., a fake YouTube player). To 'view the video,' the user is prompted to download a 'codec' or 'Flash update'. When the user executes this file (the Socelars dropper), it immediately drops a credential stealer or adware payload into the %AppData% directory. It establishes persistence via Registry Run keys. Crucially, Socelars often steals the user's active social media session tokens (cookies) to immediately post the same malicious links from the victim's account, propagating the worm-like campaign.
Indicators of Compromise & Impact
The primary impact is credential theft, compromised social media accounts, and the installation of secondary adware/botnet payloads. Incident responders should monitor for anomalous HTTP traffic to newly registered domains associated with the fake video pages. EDR tools will flag the execution of the fake 'codec' installer from the user's Downloads folder.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1204.001 | User Execution: Malicious Link | Execution |
T1204.002 | User Execution: Malicious File | Execution |
T1555 | Credentials from Password Stores | Credential Access |
T1534 | Internal Spearphishing | Lateral Movement |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Persistence |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_SOCELARS {
meta:
description = "Detects Socelars (infostealer)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "socelars" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Socelars Activity
id: da4de5ba31c3db3506a64ffc660c6682
status: experimental
description: Detects generic indicators of the socelars malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*socelars*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/socelars.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.