Ongoing Cyber Campaign Uses Fake Crypto Apps to Deploy Stealthy JavaScript Malware

Cybersecurity researchers are warning about a sophisticated cyber campaign that distributes fake cryptocurrency trading applications to infect users with a stealthy malware strain known as JSCEAL. This JavaScript-based malware, compiled using the V8 JavaScript engine, is capable of harvesting sensitive information such as login credentials, cryptocurrency wallet data, and browser activity.

How the Attack Works

The campaign, discovered by Check Point and previously flagged by Microsoft and WithSecure (as WEEVILPROXY), has been active since March 2024. It uses malicious Facebook ads—often disseminated through compromised or fake accounts—to lure victims to counterfeit websites impersonating trusted platforms like TradingView.

Upon visiting the malicious site, users are prompted to download what appears to be a legitimate trading app. However, the app acts as a dropper, initiating a multi-layered infection process that integrates JavaScript code, MSI installers, and local DLL modules to deliver the final malware payload.

Multi-Stage Infection Chain

This campaign is particularly notable for its modular and interdependent infection mechanism:

1. Phishing and Redirection: Victims click Facebook ads and are redirected through cloaked links to landing pages. If the visitor is identified as a valid target (based on IP or browser metadata), they’re served the fake app.

2. Installer Execution: The downloaded installer drops DLLs and begins listening on localhost:30303, establishing communication with the site via POST requests.

3. Code Execution: Both the installer and website must run simultaneously for the malware to activate—an anti-analysis technique that complicates detection.

4. JSCEAL Deployment: Once activated, JSCEAL sets up a local proxy, intercepts web traffic, and injects malicious scripts into banking or cryptocurrency pages to steal credentials in real time.

Capabilities of JSCEAL

JSCEAL is an advanced threat equipped with:

• Keylogging and screenshot capture

• Data theft from auto-fill fields, Telegram sessions, browser cookies

• Real-time manipulation of cryptocurrency wallets

• Execution of adversary-in-the-middle (AitM) attacks

• Establishment of a remote access backdoor

Why This Matters

JSCEAL leverages compiled JavaScript (.jsc files) and heavy obfuscation, allowing it to bypass many traditional security tools. By splitting the infection logic across multiple components and requiring local and browser elements to work together, the malware stays under the radar.

How to Protect Yourself

• Avoid downloading apps outside official marketplaces.

• Be cautious with ads—even on trusted platforms like Facebook.

• Use endpoint detection and response (EDR) tools with script analysis capabilities.

• Monitor for unusual localhost connections and web proxy configurations.

This campaign highlights the growing complexity of JavaScript-based malware and the need for enhanced vigilance in both development and end-user environments.