New JSCEAL Attack Aims to Steal Credentials and Wallets from Crypto App Users

Check Point Research (CPR) has identified a sophisticated malware campaign dubbed JSCEAL, which targets users of cryptocurrency trading applications through malicious advertisements and compiled JavaScript payloads.

Active since at least March 2024, the operation has evolved to incorporate advanced anti-analysis techniques, including modular infection flows and the use of Node.js to execute compiled V8 JavaScript (JSC) files.

This campaign impersonates nearly 50 popular crypto apps, leveraging paid malvertising on social media platforms to distribute fake installers.

In the first half of 2025, threat actors deployed approximately 35,000 malicious ads, garnering millions of views in the European Union alone, with potential global reach exceeding 10 million users based on social media demographics.

Campaign Discovery

The JSCEAL malware focuses on exfiltrating cryptocurrency-related data, such as credentials, wallets, browser cookies, autocomplete passwords, and Telegram accounts.

It employs techniques like keylogging, screenshot capture, Man-in-the-Browser (MitB) attacks, and Man-in-the-Middle (MitM) interception via local proxies and embedded certificates installed with certutil.exe.

The payload also functions as a Remote Access Trojan (RAT), enabling remote PowerShell command execution and automation via Puppeteer for web interactions and WinPTY for command-line tasks.

Analysis reveals heavy obfuscation using tools like javascript-obfuscator, complicating static detection and decompilation, though CPR’s VIEW8 tool aids in bytecode examination.

Multi-Layered Infection Chain

The infection begins with malvertising on platforms like Facebook, redirecting victims through domains following specific naming patterns (e.g., combinations of words like “app,” “download,” and “pc” under .com TLDs) to fake landing pages or decoy sites based on IP filtering and referrers.

Successful redirects lead to MSI installers signed with valid certificates from Russian entities, created using WIX Toolset.

These installers embed custom DLLs (e.g., TaskScheduler.dll and WMI.dll) that establish HTTP listeners on localhost:30303, interdependent with JavaScript scripts on the fake sites for WMI queries and scheduled task creation.

Profiling occurs via PowerShell backdoors triggered by XML-defined scheduled tasks running under SYSTEM privileges, excluding PowerShell from Windows Defender scans and gathering machine fingerprints (e.g., MachineGuid from registry, installed software, UAC settings, and network details).

Data is exfiltrated to command-and-control (C2) servers, often hosted on Cloudflare Pages, which may deploy the final JSC payload in ZIP archives containing Node.js runtime, Brotli-compressed app.jsc, preflight.js for decompression, and native .node modules.

Communication with C2 uses tRPC over WebSockets and DNS over HTTPS to resolve subdomains like vertical-scaling[.]com.

If deemed unvaluable, victims receive cleanup scripts to remove artifacts. Despite widespread distribution, many samples evaded detection on VirusTotal for extended periods due to JSC’s bytecode nature and anti-evasion mechanisms.

CPR notes correlations with prior reports on similar activities, such as WeevilProxy, and emphasizes monitoring Node.js executions for defense.

Protections include tools like Threat Emulation and Harmony Endpoint, classifying variants as InfoStealer.Win.JSCeal.A and related droppers.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!