Cybersecurity researchers can bring attention to the ongoing campaigns that distribute fake cryptocurrency trading apps and deploy compiled V8 JavaScript (JSC) malware called JSCEAL to capture data from their credentials and wallets.
According to Checkpoint, activity leverages thousands of malicious ads posted to Facebook to redirect unsuspecting victims to fake sites that direct them to install fake apps. These ads are shared through stolen or newly created accounts.
“Actors separate the installer functionality into different components and move some functionality into JavaScript files within the most notably infected website,” the company said in its analysis. “The flow of modular, multi-layered infections allows attackers to adapt new tactics and payloads at every stage of the surgery.”
It is worth noting that some aspects of the activity were previously documented by Microsoft in April 2025 and are as secure as this month, with the latter being tracked as Weevilproxy. According to a Finnish security vendor, the campaign has been active since March 2024.
The attack chain has been found to employ a new anti-analytic mechanism that relies on script-based fingerprints before providing the final JSC payload.
“Threat actors have implemented a unique mechanism that requires both malicious sites and installers to run in parallel for successful execution.
Clicking on a Facebook ad link triggers a redirect chain, leading the victim to a fake landing page that mimics legitimate services like TradingView or Decoy websites if the target’s IP address is not within the desired range, or if the referral is not Facebook.
In addition to hosting two other JavaScript scripts responsible for tracking the installation process and initiating POST requests processed by components within the MSI installer, the website also includes a JavaScript file that attempts to communicate with the localhost server on port 30303.
For that part, the installer file downloaded from the site unpacks many DLL libraries and simultaneously starts an HTTP listener with localhost:30303 to process incoming post requests from fake sites. This interdependency means that if any of these components fails, the infection chain cannot progress further.
“To ensure that the victim does not suspect abnormal activity, the installer opens a WebView using msedge_proxy.exe and directs the victim to the legitimate website of the application,” Check Point said.
The DLL module is designed to parse POST requests from websites, gather system information and start the fingerprinting process. The PowerShell backdoor then extracts information captured by the attacker in the form of a JSON file.
If the victim’s host is considered valuable, the infection chain moves to the final stage and leads to the execution of JSCEAL malware by leveraging node.js.
In addition to establishing a connection with a remote server to receive further instructions, malware also sets up a local proxy with the aim of intercepting victims’ web traffic and stealing malicious scripts in real time to banks, cryptocurrency, and other sensitive websites.
Other features of JSCEAL include collecting system information, browser cookies, automatic filling passwords, telegram account data, screenshots, keystrokes, and commanding cryptocurrency wallets for attacks and manipulation of intermediate (AITM) attacks. It can also act as a remote access trojan.
“This sophisticated malware is designed to be resilient to traditional security tools, while still gaining absolute control over the victim machine,” Checkpoint said. “The combination of compiled code and heavy obfuscation took the analytical effort and time while displaying a variety of features.”
“JSC files allow attackers to easily and effectively hide their code, bypass security mechanisms, and make analysis difficult.”
Source link
