Cyber security researchers are focusing on an ongoing campaign that distributes fake cryptocurrency trading apps to deploy a compiled V8 JavaScript (JSC) Malware Jsceal It can capture data such as credentials and wallets.
The activity takes advantage of thousands of malicious advertisements posted on Facebook, which is trying to redirect the victims that instruct them to install the bogus apps, according to the check point. These advertisements are shared through either stolen accounts or newly created people.
The company said in an analysis, “Actor separates the functionality of the installer into separate components and transfers some functionality in JavaScript files inside especially infected websites.” “A modular, multi -level transition flow enables attackers to adapt to the new strategy and payload at every stage of the operation.”
It is worth noting that some aspects of activity were previously documented by Microsoft in April 2025 and as recently this month as this month, with later tracking it as weevilproxy. According to the Finnish security seller, the campaign is active since March 2024.
The attack chain has been found to adopt the novel-anti-analysis mechanism that rely on the script-based fingerprinting before giving the final JSC payload.
The Israeli cyber security company said, “The danger actors applied a unique mechanism, which requires both malicious site and installer to run in parallel for successful execution, which greatly complicates analysis and efforts to analyze and detect.”
Clicking on the link in Facebook advertisement leads to a redirect chain, eventually leading the victim to a fake landing page, which mimics a tradingview or legitimate service such as a decoy website, if the IP address of the target is not within the desired range or the referler is not Facebook.
The website also includes a JavaScript file that attempts to communicate with a localhost server on Port 30303, besides two other JavaScript scripts to host the script that are responsible for tracking the installation process and starting post requests controlled by components within the MSI installer.
For part of it, the installer file downloaded from the site unpacks several DLL libraries, while simultaneously starts HTTP listeners at localhost: 30303 to process post requests coming from the Phony site. This interpretation also means that if none of these components work, the infection chain fails to move forward.
“To ensure that the victim does not doubt the abnormal activity, the installer opens a website to direct the victim to direct the application using MSEDEG_Proxy.AxA,” the Czech point said.
The DLL module is designed to pass post requests from the website and collect the system information and to start the fingerprint process, after which the information captured is exfluted to the attacker as a JSON file via a powercel backdor.
If the afflicted host is considered valuable, the transition chain goes to the final stage, taking advantage of the node to lead to the execution of JSCEAL Malware.
In addition to establishing connections with a remote server to obtain further instructions, it sets a local proxy with the target of injecting banking, cryptocurrency and other sensitive websites to other sensitive websites to disrupt the victim’s web traffic and steal their credentials in real time.
Other functions of JSCEAL include system information, browser cookies, auto-fill passwords, telegram account data, screenshots, keystrokes, as well as manipulating the anti-in-in-media attacks and cryptocurrency wallets. It can also act as a remote access trojan.
“This sophisticated piece of malware is designed to achieve complete control of the afflicted machine while flexible against traditional safety devices,” the Czech point said. “Combination of compiled codes and heavy objectation, showing a wide variety of functionality, challenging and taking time to analysis.”
“Using JSC files allows the attackers to hide simply and effectively their code, which helps to avoid the safety system, and makes it difficult to analyze.”
