New JSCEAL Malware Targets Millions via Fake Crypto App Ads

New JSCEAL Malware Targets Millions via Fake Crypto App Ads

A new cybercrime campaign, dubbed JSCEAL, is actively targeting people who use cryptocurrency apps, reveals the latest research from security research firm Check Point Research (CPR).

The malicious operation, which has been active since at least March 2024, has served more than 35,000 misleading ads in the first half of 2025 alone. Researchers believe the total reach of this campaign is estimated to be around 3.5 million users within the European Union and likely over 10 million users worldwide.

The campaign lures victims with fake ads that impersonate almost 50 popular crypto trading apps. When a user clicks on one of these ads, they are led to a phony website that looks legitimate and are prompted to download an installer file.

This file, which is often signed with a valid digital certificate to appear trustworthy, secretly contains malware. The attackers have been observed to impersonate dozens of different brands, showing how widespread and varied the threat is.

The Attack

According to CPR’s report, the JSCEAL campaign shows a multi-layered approach. Instead of a single virus, the attack involves several steps. The malicious installer first runs scripts that collect a wide range of data about the victim’s computer. This information is then sent to the attackers, who decide if the target is valuable. If they are, the final and most dangerous part of the attack is launched, which is the JSCEAL malware itself.

Infection Flow Illustration (Source: CPR)

This malware is a serious threat because it uses an advanced technique called compiled JavaScript (JSC) to hide its code. The attackers use a program called Node.js, a legitimate software environment, to run the malware, which helps it bypass many traditional security systems. As a result, the malicious code can remain “hidden from traditional security solutions.”

Stealing Wallets and Personal Data

Once the JSCEAL malware is installed, it can steal sensitive information related to cryptocurrencies, such as credentials and digital wallets. The malware also has a wide range of other capabilities, including taking screenshots, logging keystrokes, and even manipulating web traffic to steal data in real time.

The JSCEAL campaign’s use of new techniques like compiled JavaScript and its widespread reach make it a significant concern for anyone using cryptocurrency platforms. This means users should be extra cautious about where they download applications and to have more reliable security measures in place.




Source link