Facebook parent Meta said it disrupted three separate cyber-espionage campaigns linked to the Bahamut APT, the Patchwork APT and an unnamed Pakistan-based threat actor, as well as six adversarial groups from various global regions engaged in what it calls “inauthentic behavior” on Facebook and other social networks.

The Pakistan-linked cyber-espionage operation used 120 accounts on Facebook and Instagram (now removed) that targeted people in India and Pakistan, including military personnel in India and among the Pakistan Air Force. The campaign relied on a network of malicious websites serving Android or Windows malware, as well as social engineering and fake personas to lure victims.

“This group has been known in the security industry as a prolific user of GravityRAT, a low-sophistication malware family capable of gathering sensitive user data,” Meta said in its quarterly adversarial threat report.

The company has also taken down about 110 accounts on Facebook and Instagram linked to the India-based Bahamut APT. The campaign targeted people in Pakistan and India, including military personnel, government employees, and activists.

Bahamut used fake personas and bogus or spoofed websites to trick people into sharing sensitive information or installing malware on their devices. This group primarily used Android malware.

Meta also removed about 50 accounts on Facebook and Instagram linked to another India-based threat actor, Patchwork APT. The group targeted people in Pakistan, India, Bangladesh, Sri Lanka, the Tibet region, and China, including military personnel, activists, and minority groups.

As in the above mentioned cases Patchwork relied on social engineering to trick targets into clicking on malicious links and downloading malicious Android apps.

In addition, the company disrupted six adversarial networks from the US, Venezuela, Iran, China, Georgia, Burkina Faso, and Togo that engaged in “coordinated inauthentic behavior” using fraudulent news media brands, hacktivist groups, and NGOs to build credibility.

In a separate report Meta’s security team warned that hackers are increasingly spoofing ChatGPT websites and apps to trick users into downloading malware.

Meta said that since March 2023 it has discovered 10 malware families taking advantage of ChatGPT’s popularity, including malware families like NodeStealer and DuckTail.

NodeStealer is a relatively new Windows malware that steals cookies and saved usernames and passwords from browsers to ultimately compromise Facebook, Gmail, and Outlook accounts. NodeStealer is custom-written in JavaScript and bundles the Node.js environment. Meta says that the malware appears to be of Vietnamese origin and distributed by threat actors from Vietnam.

In its recent campaigns the Ducktail malware has been observed targeting a number of platforms, including file-sharing services Dropbox, Google Drive, Mega, MediaFire, Discord, Atlassian’s Trello, Microsoft OneDrive, and iCloud to host this malware. Its ultimate goal is to compromise businesses with access to ad accounts across the internet, Meta said.