May 09, 2025 2 Minute Read

While security professionals know well that a defense-in-depth strategy is crucial to proper cybersecurity, sometimes a detailed story of how a threat was discovered and eradicated can bring the value home, especially to the uninitiated. This is one such story.

In this case, the story relates to the value of employing a cybersecurity threat hunting service alongside a managed detection and response offering.

A Trustwave Managed Detection and Response service client suffered a breach when an attacker lured a user to download malware from a Facebook advertisement, a tactic known as malvertising. The malware at the root of the threat, SYSO1, was first identified in October 2022.

The malware has since morphed into various forms and is still used by threat actors in a number of Facebook ad campaigns. The campaigns attempt to lure users by advertising games, tools to upgrade the look of the Windows taskbar, MacOS desktop themes, and more.

As explained in a detailed report on the SYSO1 threat by Trustwave SpiderLabs, Facebook is an effective avenue because it has some 2.9 billion monthly active users and 200 million business accounts.

Many users access Facebook from their work computers, enabling the malware to steal legitimate corporate credentials. Those credentials may then be sold on the Dark Web and used by ransomware groups for financial gain or by nation-state actors to “cause disruption, harm or exfiltrate sensitive data,” the report says.

Managed Detection and Response, the First Line of Defense

So, an employee of the Trustwave client fell victim to the threat, and the malware was installed on their system. Eventually, the threat actor used the victim’s credentials to try to access a high-value asset within the company.

The Trustwave MDR service worked as intended and successfully flagged the attempt as suspicious. Trustwave contacted the client’s security team using the usual response authorization protocol.

Here’s where the story gets interesting. Perhaps because the malware was unknown at the time, the security team decided not to take any action. That’s not exactly unusual, given the number of threats any given company faces each day, but in this case, the results could’ve been devastating.

Advanced Threat Hunters on the Job

However, the client in question also used the Trustwave Advanced Continual Threat Hunting (ACTH) service. With ACTH, specialized security experts proactively look for indicators of suspicious behavior, with the idea being to discover malicious activity and anomalous behavior, to neutralize threats before they cause damage.

The Trustwave ACTH team identified the malware in question as SYSO1. The team knew well the origins of the threat, how it was spread (via Facebook), and the potential damage it could do.

The ACTH team again contacted the client and, armed with this information, convinced them the threat was credible. In short order, the client’s security team took steps to neutralize the threat.

Defense in Depth

In the end, no damage was done, but the story highlights the importance of the defense-in-depth strategy. Had the company in question not been an ACTH client, there’s no telling how this story may have ended. Possibly splattered across all the major news sites.

Of course, it also highlights the value of the Trustwave MDR service, which did its job in identifying the threat, and the ACTH offering. These are indeed two complementary services with distinct value propositions.

MDR helps keep you safe on a day-to-day basis by culling through the thousands of alerts your various security tools generate, including endpoint detection and response (EDR) and Managed SIEM service (Security Information and Event Management).

ACTH proactively searches your environment for threats, including the telltale indicators of behavior that threat actors leave behind as they attempt to infiltrate your network.

These are valuable and, as this story shows, are necessary for a comprehensive cybersecurity strategy.

Interested in a detailed analysis of SYSO1 and the Facebook threat? Check out our research:

• Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01
• Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01 - Part 2