New JSCEAL Attack Targeting Crypto App Users To Steal Credentials and Wallets

A sophisticated new malware campaign targeting cryptocurrency application users has emerged, leveraging compiled JavaScript files and Node.js to steal digital wallets and credentials with unprecedented stealth.

The campaign, dubbed JSCEAL, represents a significant evolution in cybercriminal tactics, utilizing advanced evasion techniques that have allowed it to operate largely undetected despite its massive scale and distribution.

The malicious operation has been active since at least March 2024, with threat actors promoting approximately 35,000 malicious advertisements during the first half of 2025 alone, generating millions of views across the European Union.

The campaign impersonates nearly 50 legitimate cryptocurrency trading platforms, including major exchanges like Binance, Bybit, OKX, and trading platforms such as TradingView and MetaTrader, creating convincing fake applications designed to deceive unsuspecting users.

Check Point researchers identified this campaign through their ongoing analysis of compiled JavaScript file executions, which led to the discovery of JSCEAL’s unique deployment methodology.

The malware represents a notable shift in cybercriminal tactics, as it employs Node.js to execute compiled JavaScript (JSC) payloads, effectively concealing malicious code from traditional security mechanisms and making static analysis extremely challenging.

What sets JSCEAL apart from conventional malware is its remarkably low detection rate despite widespread distribution.

Hundreds of samples associated with this campaign were submitted to VirusTotal and remained undetected for extended periods, demonstrating the effectiveness of the attackers’ evasion strategies.

The campaign’s modular, multi-layered infection flow enables operators to adapt new tactics and payloads at every stage of the operation, making it particularly resilient against security countermeasures.

The attack begins with malicious advertisements on social media platforms, particularly Facebook, where threat actors use either compromised accounts or newly created profiles to promote fake cryptocurrency-related content.

These advertisements employ sophisticated redirection mechanisms that filter targets based on IP address ranges and referrer information, displaying decoy websites to unwanted visitors while directing legitimate targets to convincing fake landing pages.

Advanced Infection Mechanism and Persistence Tactics

The infection chain demonstrates remarkable technical sophistication through its multi-component architecture that requires both malicious websites and installed components to function simultaneously.

When victims download what appears to be a legitimate MSI installer, the file invokes a CustomAction function that deploys several critical components, including TaskScheduler.dll for scheduled task creation and WMI.dll for system reconnaissance commands.

The malware establishes persistence through an ingenious scheduled task mechanism defined by XML payloads that trigger on specific Windows event log entries.

This task executes encoded PowerShell scripts that first exclude the malware from Windows Defender scanning using commands like Add-MpPreference -ExclusionProcess (Get-Process -PID $PID).MainModule.ModuleName -Force, then initiates a PowerShell backdoor that maintains continuous communication with command and control servers.

The final payload delivery occurs through Node.js runtime archives containing the core JSCEAL malware as compiled JavaScript files.

The malware establishes tRPC connections with C2 servers and deploys a local proxy that intercepts web traffic, injecting malicious scripts into banking and cryptocurrency websites in real-time.

This Man-in-the-Browser functionality, combined with comprehensive data collection capabilities including keylogging, screenshot capture, and cryptocurrency wallet manipulation, makes JSCEAL a formidable threat to digital asset security.

The campaign’s ability to maintain such low detection rates while operating at massive scale underscores the evolving sophistication of modern cybercriminal operations, particularly those targeting the lucrative cryptocurrency sector where stolen credentials and wallet access can yield immediate financial returns for attackers.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches