Cybercriminals expand malvertising campaigns from Facebook to Google Ads and YouTube, hijacking accounts to distribute crypto-stealing malware targeting financial platform users worldwide.
A sophisticated malvertising campaign that initially targeted Facebook users with fake TradingView Premium offers has significantly expanded its reach, now infiltrating Google Ads and YouTube to distribute advanced cryptocurrency-stealing malware.
Bitdefender researchers, who have been tracking this persistent threat for over a year, report that cybercriminals are increasingly weaponizing legitimate advertising platforms to compromise financial data and cryptocurrency wallets.
The malicious campaign began by exploiting Facebook Ads to promise “free access” to TradingView Premium and other trading platforms.
However, Bitdefender Labs researchers have observed a dramatic escalation, with threat actors now leveraging Google’s advertising ecosystem and hijacked YouTube channels to reach broader audiences.
This expansion exposes both content creators and regular users to unprecedented risks, as attackers exploit the trust associated with verified accounts and official branding.
Unlike legitimate advertisements, these malicious campaigns redirect unsuspecting users to malware-laden downloads specifically designed to steal credentials, compromise accounts, and exfiltrate sensitive financial data.
The campaigns have demonstrated remarkable sophistication in their execution, utilizing multi-stage infection techniques and advanced evasion mechanisms.
YouTube Channel Hijacking Tactics
In a particularly concerning development, researchers discovered that cybercriminals successfully hijacked a Google advertiser account belonging to a Norwegian design agency.
The attackers also compromised a verified YouTube channel, which they systematically rebranded to impersonate the official TradingView platform.
This sophisticated impersonation strategy included several deceptive elements that made detection extremely difficult.
The compromised channel was meticulously designed to mirror TradingView’s authentic presence by reusing official branding elements, including identical logos, banners, and visual components.
Attackers mirrored legitimate playlists from the real TradingView channel, creating an illusion of active content despite having no original videos.
Most critically, they exploited the channel’s existing verified badge status, which users typically associate with authenticity without conducting deeper verification.
The hijacked channel contained no original content and had only 96 registered views—an impossibility for a legitimate channel given TradingView’s massive popularity.
The impersonation strategy relied entirely on unlisted advertisement videos shown exclusively through paid placements, effectively avoiding public scrutiny.
One particularly successful advertisement video, titled “Free TradingView Premium – Secret Method They Don’t Want You to Know,” gained over 182,000 views within days through aggressive advertising campaigns despite remaining unlisted.
This unlisted status serves a deliberate strategic purpose, preventing casual reporting and platform moderation while ensuring exclusive distribution through targeted ad placements.
The video descriptions include sophisticated social engineering elements, promising benefits such as simplified trading, personalized indicators, and “reasonable” trading strategies. To establish credibility, attackers even include disclaimers about financial risks.
However, these messages mask the true malicious intent: redirecting victims to malware downloads, deploying phishing pages to steal credentials, and spreading infection across multiple channels and domains.
Malware Capabilities
Bitdefender technical analysis revealed that while the malware shares characteristics with previous samples, the initial downloader represents a custom-built solution specifically designed to resist detection and analysis.
The malware employs several sophisticated evasion techniques that significantly complicate both automated and manual analysis efforts.
The oversized downloader exceeds 700 MB, making it too large for most automated analysis platforms to process effectively. It incorporates anti-sandbox capabilities that actively check for virtualized or sandboxed environments, hindering dynamic analysis attempts.
The infection proceeds through multiple stages, employing techniques consistent with established infostealer campaigns once initial defenses are bypassed.
Communication protocols have evolved significantly from previous iterations. While earlier samples used plain HTTP requests on various ports, the current malware communicates through WebSockets on port 30000 using the /config route.
The front-end scripts have been enhanced with obfuscation and AES-CBC encryption, making investigation substantially more difficult.
The final payload, identified as JSCEAL by CheckPoint and WeevilProxy by WithSecure, demonstrates sophisticated capabilities including intercepting all user network traffic through proxy functionality, collecting cookie and password data, implementing keylogging and screenshot capture, stealing cryptocurrency wallet data, and ensuring long-term system persistence.
Campaign Scale and Infrastructure
Bitdefender extended analysis of this malicious advertising campaign has revealed staggering scope and sophistication.
Researchers have identified over 500 domains and subdomains connected to this malicious infrastructure, demonstrating the campaign’s extensive reach and resource investment.
The threat actors have developed emerging macOS and Android samples designed to extend attacks beyond Windows systems, indicating cross-platform expansion capabilities.
Multiple hijacked or impersonated channels and pages are simultaneously pushing identical campaigns across platforms. At least several stolen Google accounts have been observed facilitating these operations.
Thousands of Facebook pages, typically featuring fewer than five likes and generic names and images, actively distribute malicious advertisements. Threat actors demonstrate remarkable operational capacity by creating hundreds of new advertisements daily in multiple languages, particularly English, Vietnamese, and Thai, while continuously rotating domains and implementing new evasion strategies.
Users encountering advertisements promising free access to premium trading tools should exercise extreme caution and verify channel handles and subscriber counts before engagement.
Unlisted videos should raise immediate suspicion, as legitimate companies rarely operate unlisted ad-only campaigns. Software downloads should only occur from official websites, never through third-party links.
Content creators and businesses face particular risks from account takeover attempts. Essential protective measures include enabling robust multi-factor authentication for all online accounts, regularly reviewing account recovery options, auditing channel roles and permissions, and monitoring for unusual activity such as sudden branding changes or unexpected video uploads.
Organizations should implement comprehensive security solutions and maintain ongoing awareness of evolving impersonation and ad abuse campaigns, as these sophisticated threats continue adapting to circumvent detection mechanisms while targeting increasingly diverse user populations across multiple platforms.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
