Facebook Ads used to distribute fake crypto apps with JSCEAL malware

Security researchers have uncovered an active campaign using deceptive Facebook ads to distribute fake cryptocurrency trading applications. These bogus apps are designed to deploy a sophisticated malware known as JSCEAL, which steals sensitive data such as login credentials and cryptocurrency wallet information.
According to a report by Check Point, the attackers are leveraging thousands of malicious ads on Facebook to lure unsuspecting users to counterfeit websites. These websites then trick users into installing the malicious applications. The ads are being spread through both compromised and newly created Facebook accounts.
Check Point researchers highlighted the attackers’ strategy of dividing the installer’s functions into multiple components, with key functionalities moved to JavaScript files hosted on the infected websites. This modular, multi-layered approach allows the attackers to easily adapt their tactics and payloads at each stage of the operation.
It’s worth noting that Microsoft previously documented aspects of this campaign in April 2025, and WithSecure also reported on it earlier this month, tracking it as WEEVILPROXY. WithSecure has been tracking this campaign since March 2024.
Security researchers have observed that the attack chains employ innovative anti-analysis techniques, relying on script-based fingerprinting before delivering the final JSCEAL payload.
Check Point emphasized that the attackers have implemented a unique mechanism that requires both the malicious website and the installer to run concurrently for successful execution. This significantly complicates analysis and detection efforts.
When a user clicks on a link in one of the malicious Facebook ads, they are redirected through a chain of websites, eventually landing on a fake page that imitates a legitimate service like TradingView or a decoy website. This redirection only occurs if the target’s IP address falls within a specific range and the referrer is Facebook.
The fake website also hosts a JavaScript file that attempts to communicate with a localhost server on port 30303. Additionally, the website contains two other JavaScript scripts responsible for tracking the installation process and initiating POST requests, which are then processed by components within the MSI installer.
The installer file, which is downloaded from the fake website, unpacks several DLL libraries while simultaneously starting HTTP listeners on localhost port 30303. These listeners process incoming POST requests from the fake website. This interdependency means that the entire infection chain will fail if any of these components are not functioning correctly.
Check Point researchers explained that to prevent users from suspecting malicious activity, the installer opens a webview using “msedge_proxy.exe” to redirect the victim to the legitimate website of the application.
The DLL modules are designed to analyze the POST requests from the website, gather system information, and initiate the fingerprinting process. The captured information is then sent to the attacker as a JSON file via a PowerShell backdoor.
If the victim’s system is deemed valuable, the infection progresses to the final stage, which involves executing the JSCEAL malware using Node.js.
In addition to establishing connections with a remote server to receive further instructions, the malware sets up a local proxy to intercept the victim’s web traffic. It then injects malicious scripts into banking, cryptocurrency, and other sensitive websites to steal credentials in real-time.
JSCEAL’s other functions include collecting system information, browser cookies, auto-fill passwords, Telegram account data, screenshots, and keystrokes. It can also perform adversary-in-the-middle (AitM) attacks and manipulate cryptocurrency wallets, as well as function as a remote access trojan (RAT).
Check Point stated that this sophisticated malware is designed to gain complete control over the victim’s machine while resisting traditional security tools. The combination of compiled code, heavy obfuscation, and a wide range of functionalities made analysis both challenging and time-consuming.
The researchers emphasized that the use of JSC files allows attackers to easily and effectively conceal their code, helping it to evade security mechanisms and making it difficult to analyze.