Hackers Use Facebook Ads to Spread JSCEAL Malware via Fake Cryptocurrency Trading Apps

2 months ago 6

Jul 30, 2025Ravie LakshmananCryptocurrency / Browser Security

Fake Cryptocurrency Trading Apps

Cybersecurity researchers are calling attention to an ongoing campaign that distributes fake cryptocurrency trading apps to deploy a compiled V8 JavaScript (JSC) malware called JSCEAL that can capture data from credentials and wallets.

The activity leverages thousands of malicious advertisements posted on Facebook in an attempt to redirect unsuspecting victims to counterfeit sites that instruct them to install the bogus apps, according to Check Point. These ads are shared either via stolen accounts or newly created ones.

"The actors separate the installer's functionality into different components and most notably move some functionality to the JavaScript files inside the infected websites," the company said in an analysis. "A modular, multi-layered infection flow enables the attackers to adapt new tactics and payloads at every stage of the operation."

Cybersecurity

It's worth noting that some aspects of the activity were previously documented by Microsoft in April 2025 and WithSecure as recently as this month, with the latter tracking it as WEEVILPROXY. According to the Finnish security vendor, the campaign has been active since March 2024.

The attack chains have been found to adopt novel anti-analysis mechanisms that rely on script-based fingerprinting, before delivering the final JSC payload.

"The threat actors implemented a unique mechanism that requires both the malicious site and the installer to run in parallel for successful execution, which significantly complicates analysis and detection efforts," the Israeli cybersecurity company noted.

Clicking on the link in the Facebook ads triggers a redirection chain, ultimately leading the victim to a fake landing page mimicking a legitimate service like TradingView or a decoy website, if the target's IP address is not within a desired range or the referrer is not Facebook.

The website also includes a JavaScript file that attempts to communicate with a localhost server on port 30303, in addition to hosting two other JavaScript scripts that are responsible for tracking the installation process and initiating POST requests that are handled by the components within the MSI installer.

For its part, the installer file downloaded from the site unpacks a number of DLL libraries, while simultaneously initiating HTTP listeners on localhost:30303 to process incoming POST requests from the phony site. This interdependency also means that the infection chain fails to proceed further if any of these components doesn't work.

"To ensure the victim does not suspect abnormal activity, the installer opens a webview using msedge_proxy.exe to direct the victim to the legitimate website of the application," Check Point said.

The DLL modules are designed to parse the POST requests from the website and gather system information and commence the fingerprinting process, after which the captured information is exfiltrated to the attacker in the form of a JSON file by means of a PowerShell backdoor.

If the victim host is deemed valuable, the infection chain moves to the final stage, leading to the execution of the JSCEAL malware by leveraging Node.js.

Cybersecurity

The malware, besides establishing connections with a remote server to receive further instructions, sets up a local proxy with the goal of intercepting the victim's web traffic and injecting malicious scripts into banking, cryptocurrency, and other sensitive websites to steal their credentials in real-time.

Other functions of JSCEAL include gathering system information, browser cookies, auto-fill passwords, Telegram account data, screenshots, keystrokes, as well as conducting adversary-in-the-middle (AitM) attacks and manipulating cryptocurrency wallets. It can also act as a remote access trojan.

"This sophisticated piece of malware is designed to gain absolute control of the victim machine, while being resilient against conventional security tools," Check Point said. "The combination of compiled code and heavy obfuscation, while displaying a wide variety of functionality, made analysis efforts challenging and time-consuming."

"Using JSC files allows attackers to simply and effectively conceal their code, helping it evade security mechanisms, and making it difficult to analyze."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Read Entire Article