A new malware campaign discovered in August 2025 uses adult websites to spread a clickjack Trojan that secretly makes users "Like" Facebook posts without their knowledge[^1]. The scheme works by having users download what appears to be an SVG image file while browsing adult content sites, but the file contains malicious JavaScript code that executes a "LikeJack Trojan"[^1].

The campaign specifically targets users seeking adult content, taking advantage of increased restrictions around age verification on legitimate adult websites. When users click through links on these malicious sites, some visitors receive a downloaded SVG file that opens an empty Edge browser tab titled "Process Monitor"[^1].

The SVG file uses an obfuscation technique called "hybrid JSFuck" to hide its true purpose - downloading additional malicious code from crhammerstein[.]de that automatically clicks Facebook Like buttons on adult content posts. This artificially inflates the Like counts, helping the posts appear more prominently in Facebook feeds[^1].

Malwarebytes researchers found "a huge amount" of blogspot[.]com pages participating in this campaign. The criminals appear to be exploiting recent government age verification requirements that are pushing users away from legitimate adult sites toward shadier alternatives[^1].

[^1]: Malwarebytes - Adult sites trick users into Liking Facebook posts using a clickjack Trojan