Socelars

Category: infostealer · Aliases: None known · Sample count (EMBER 2018): 159 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/Socelars is a deceptive trojan family frequently distributed via aggressive social engineering campaigns on major social networks (like Facebook and Twitter) to harvest credentials and distribute secondary payloads.

Understanding Socelars
To the end-user, Socelars is often the result of clicking a sensationalized news article or a 'shocking video' link posted by a compromised friend's account. For security analysts, Socelars represents a highly effective, low-technical-barrier threat. It relies entirely on manipulating human curiosity rather than exploiting software vulnerabilities, bypassing many perimeter defenses by tricking the user into willingly executing the malware.

Execution and Evasion Strategies
The infection chain begins on social media. The user clicks a malicious link and is redirected to a fake landing page (e.g., a fake YouTube player). To 'view the video,' the user is prompted to download a 'codec' or 'Flash update'. When the user executes this file (the Socelars dropper), it immediately drops a credential stealer or adware payload into the %AppData% directory. It establishes persistence via Registry Run keys. Crucially, Socelars often steals the user's active social media session tokens (cookies) to immediately post the same malicious links from the victim's account, propagating the worm-like campaign.

Indicators of Compromise & Impact
The primary impact is credential theft, compromised social media accounts, and the installation of secondary adware/botnet payloads. Incident responders should monitor for anomalous HTTP traffic to newly registered domains associated with the fake video pages. EDR tools will flag the execution of the fake 'codec' installer from the user's Downloads folder.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1204.001User Execution: Malicious LinkExecution
T1204.002User Execution: Malicious FileExecution
T1555Credentials from Password StoresCredential Access
T1534Internal SpearphishingLateral Movement
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderPersistence

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_SOCELARS {
    meta:
        description = "Detects Socelars (infostealer)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "socelars" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Socelars Activity
id: da4de5ba31c3db3506a64ffc660c6682
status: experimental
description: Detects generic indicators of the socelars malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*socelars*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate the endpoint to prevent the downloading of secondary payloads and the active exfiltration of browser cookies.
  2. Force a global password reset for the user's corporate accounts and advise them to immediately reset all personal social media passwords.
  3. Instruct the user to log into their social media accounts from a clean device and revoke any unauthorized third-party application authorizations.
  4. Perform a full EDR sweep to locate the initial Socelars dropper and any secondary adware or stealers it managed to install.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not assume the endpoint is secure just because the initial fake 'codec' file was deleted; secondary payloads are likely already active.
  2. Avoid ignoring the social engineering aspect; use the incident as an opportunity to reinforce corporate security awareness training.

References & External Analysis

Related Families (Category: infostealer)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/socelars.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.