Check Point Research has uncovered a malicious campaign, dubbed ‘JSCEAL’, which has been actively targeting cryptocurrency apps users since March 2024. The operation exploits malicious advertisements to distribute fake crypto trading apps and deploy advanced malware designed to steal sensitive financial data.
The JSCEAL campaign leverages malvertising primarily on social media platforms. The ads impersonate well-known cryptocurrency exchanges and financial services, tricking users into downloading fake applications via deceptive landing pages. From January to June 2025 alone, over 35,000 malicious ads were served within the European Union, generating an estimated 3.5 million impressions. Global impact is likely much higher, with potential exposure exceeding 10 million users, Check Pint notes.
The attack begins when a user clicks on a malicious ad and is redirected through several domains to a counterfeit website offering a MSI installer. Once executed, the installer triggers profiling scripts using PowerShell to collect data on the victim's system, including software configurations and user information. The JSCEAL malware is then installed onto the device.
JSCEAL uses compiled JavaScript (JSC) files, leveraging Google’s V8 engine. The malware is executed using Node.js, which allows it to bypass many conventional endpoint security solutions.
JSCEAL’s modular structure also enables attackers to dynamically update payloads and tactics. Once installed, the malware focuses on harvesting cryptocurrency-related data, including wallet credentials, private keys, and authentication tokens, posing a significant threat to investors and exchanges alike.