Cybersecurity researchers have warned of an active campaign distributing fake cryptocurrency trading applications laced with a powerful malware named JSCEAL. The campaign relies on thousands of malicious ads placed on Facebook, redirecting users to fraudulent sites disguised as platforms like TradingView.
Check Point Research, which analysed the campaign, said the operation uses stolen or freshly created accounts to share these ads. Victims are guided to counterfeit websites where they are urged to download applications that trigger a complex, multi-stage infection process. The goal: steal credentials, system information, and digital assets from unsuspecting users.
Malware Chain Hides in JavaScript and Runs via Localhost Communication
JSCEAL, a compiled V8 JavaScript malware, is deployed through a layered strategy that separates installer components and hides parts of the logic in JavaScript hosted on fake websites. The infection begins when a victim clicks on a Facebook ad, leading to a redirection loop that ends on a fake landing page. The page includes scripts that communicate with a localhost server at port 30303 and interact with the installer’s components via POST requests.
The installer, disguised as a legitimate app using Microsoft Edge’s proxy, unpacks multiple DLL libraries and opens a webview showing the actual application website to avoid raising suspicion. It also sets up HTTP listeners to communicate with the malicious website and collect system fingerprints. If the communication fails at any point, the attack stops, making detection and analysis more difficult.
Fraud Resilience Framework by Algoritha Sets New Benchmark in Next-Gen Fraud Risk Management (FRM)
Captured data, including cookies, auto-fill passwords, system info, keystrokes, and Telegram account data, is sent back via a PowerShell backdoor in JSON format. If the machine is deemed valuable, the malware proceeds to launch the final payload using Node.js. JSCEAL then establishes a remote server connection, sets up a local proxy, and injects malicious scripts into sensitive sites to hijack credentials and manipulate crypto wallets.
Security experts note that the malware is engineered to evade traditional defences through obfuscation and modular design. Its use of compiled JavaScript makes reverse-engineering extremely challenging.