Ethical Hacking News
Researchers have discovered a malicious campaign using Facebook ads to spread the JSCEAL malware, which can capture sensitive data from cryptocurrency wallets and banking websites. The attack chain employs novel anti-analysis mechanisms, including script-based fingerprinting, making it challenging for security tools to detect and analyze the malware.
Thousands of malicious Facebook ads were posted to spread JSCEAL compiled V8 JavaScript (JSC) malware. The attackers used a modular, multi-layered infection flow to adapt new tactics and payloads. The campaign has been active since March 2024 and was previously documented by Microsoft and WithSecure in April 2025. The attack chains utilize novel anti-analysis mechanisms, including script-based fingerprinting. The malware can capture sensitive data from cryptocurrency wallets and banking websites. The malware can act as a remote access trojan and gain absolute control over the victim machine. The malware uses JSC files to conceal its code, making it difficult for security mechanisms to detect and analyze.
Malicious actors have been using Facebook ads to spread malware, specifically the JSCEAL compiled V8 JavaScript (JSC) malware, which can capture sensitive data from cryptocurrency wallets and banking websites. According to cybersecurity researchers at Check Point, thousands of malicious advertisements were posted on Facebook in an attempt to redirect unsuspecting victims to counterfeit sites that instruct them to install bogus apps.
The attackers employed a modular, multi-layered infection flow that enables them to adapt new tactics and payloads at every stage of the operation. This approach makes it challenging for security tools to detect and analyze the malware. The campaign has been active since March 2024 and was previously documented by Microsoft in April 2025 and WithSecure.
The attack chains utilize novel anti-analysis mechanisms, including script-based fingerprinting, which complicates analysis and detection efforts. Clicking on the link in the Facebook ads triggers a redirection chain that ultimately leads the victim to a fake landing page mimicking a legitimate service like TradingView or a decoy website. The website hosts two JavaScript scripts that are responsible for tracking the installation process and initiating POST requests.
The installer file downloaded from the site unpacks several DLL libraries while simultaneously initiating HTTP listeners on localhost:30303 to process incoming POST requests from the phony site. This interdependency means that the infection chain fails if any of these components doesn't work. To ensure the victim does not suspect abnormal activity, the installer opens a webview using msedge_proxy.exe to direct the victim to the legitimate website of the application.
The DLL modules are designed to parse the POST requests from the website and gather system information, as well as conduct adversary-in-the-middle (AitM) attacks and manipulate cryptocurrency wallets. The malware can also act as a remote access trojan and is designed to gain absolute control over the victim machine while being resilient against conventional security tools.
This sophisticated piece of malware uses JSC files to conceal its code, making it difficult for security mechanisms to detect and analyze. Using compiled code allows attackers to simply and effectively evade security measures, making it challenging for researchers to analyze.
The JSCEAL malware sets up a local proxy with the goal of intercepting the victim's web traffic and injecting malicious scripts into banking, cryptocurrency, and other sensitive websites to steal their credentials in real-time. Other functions of JSCEAL include gathering system information, browser cookies, auto-fill passwords, Telegram account data, screenshots, keystrokes, as well as conducting adversary-in-the-middle (AitM) attacks and manipulating cryptocurrency wallets.
The malware can also act as a remote access trojan and is designed to gain absolute control over the victim machine while being resilient against conventional security tools. This sophisticated piece of malware uses JSC files to conceal its code, making it difficult for security mechanisms to detect and analyze.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Leverage-Facebook-Ads-to-Spread-Malware-via-Fake-Cryptocurrency-Trading-Apps-ehn.shtml
https://thehackernews.com/2025/07/hackers-use-facebook-ads-to-spread.html
Published: Wed Jul 30 13:34:48 2025 by llama3.2 3B Q4_K_M