JSCEAL Malware Spread via Facebook Ads and Fake Crypto Trading Apps

A new and sophisticated cyber campaign is exploiting Facebook ads to distribute fake cryptocurrency trading apps that secretly deploy JSCEAL, a powerful JavaScript-based malware designed to steal user credentials and digital wallet data.

A Multi-Layered Attack Strategy

Researchers at Check Point have uncovered that this campaign uses thousands of malicious Facebook ads, either from hijacked accounts or newly created ones, to lure users into downloading counterfeit trading apps.

These deceptive apps lead to websites where the malware is delivered through a modular and multi-layered infection flow. Some of the functionality is hidden inside JavaScript files embedded in the compromised websites, giving attackers the ability to update their payloads and tactics as needed throughout the attack chain.

Advanced Evasion Tactics

This threat campaign, active since March 2024, has been previously tracked by both Microsoft and WithSecure (who refer to it as WEEVILPROXY). The attackers employ script-based fingerprinting and require both the fake website and the installer to run simultaneously, making detection and analysis more difficult.

Clicking the malicious Facebook ads initiates a redirection sequence that ultimately leads to a spoofed landing page, mimicking trusted services like TradingView. If the user’s IP or referrer doesn’t meet the attack criteria, they are diverted to a benign decoy site instead.

Technical Details of the Malware Deployment

The malicious website hosts several JavaScript files that:

  • Communicate with a localhost server on port 30303
  • Track the installation process
  • Trigger POST requests processed by the installer’s DLL components

The MSI installer downloads a set of DLL libraries and sets up HTTP listeners to receive instructions. If any part of this interdependent system fails, the attack does not proceed—adding another layer of stealth.

To avoid suspicion, the installer opens a legitimate-looking interface using msedge_proxy.exe, showing what appears to be the real trading platform.

Once installed, the malware collects system data and begins the fingerprinting process, sending information back to the attackers via a PowerShell-based backdoor. If the infected device appears valuable, the final stage is activated: JSCEAL is executed using Node.js.

JSCEAL: Full Control Over the Victim’s System

JSCEAL is more than spyware—it gives attackers complete control of the infected machine. Its capabilities include:

  • Acting as a local proxy to intercept and manipulate web traffic
  • Injecting malicious scripts into banking and crypto sites to steal data in real-time
  • Harvesting browser cookies, autofill credentials, Telegram session data, and keystrokes
  • Taking screenshots and conducting Adversary-in-the-Middle (AitM) attacks
  • Manipulating cryptocurrency wallets
  • Functioning as a remote access trojan (RAT)

According to Check Point, this malware is engineered for resilience and stealth, using compiled JavaScript code (JSC) and heavy obfuscation to evade traditional security defenses and complicate forensic analysis.


What This Means for Organizations and Individuals

  • Social media platforms are now being weaponized as vectors for malware distribution.
  • Modular infections and JavaScript payloads present new challenges for endpoint detection and response.
  • Vigilance is critical: always verify software sources, especially when prompted by ads or unsolicited messages.

Conclusion:
The use of advanced evasion techniques and fake crypto tools highlights a growing trend where cybercriminals combine social engineering with technical sophistication. Businesses and users alike must stay informed, cautious, and invest in robust cybersecurity defenses.

Source: https://thehackernews.com/2025/07/hackers-use-facebook-ads-to-spread.html