A sophisticated malware campaign, known as JSCEAL, has been actively targeting cryptocurrency application users since at least March 2024. This operation employs advanced evasion techniques, utilizing compiled JavaScript files and Node.js to stealthily steal digital wallets and user credentials.
Scope and Impact
During the first half of 2025, threat actors associated with JSCEAL promoted approximately 35,000 malicious advertisements, resulting in millions of views across the European Union. The campaign impersonates nearly 50 legitimate cryptocurrency trading platforms, including major exchanges like Binance, Bybit, OKX, and trading platforms such as TradingView and MetaTrader. These fake applications are meticulously designed to deceive users into downloading malware that compromises their sensitive information.
Detection Challenges
JSCEAL represents a significant evolution in cybercriminal tactics by employing Node.js to execute compiled JavaScript (JSC) payloads. This method effectively conceals malicious code from traditional security mechanisms, making static analysis extremely challenging. Notably, hundreds of samples associated with this campaign were submitted to VirusTotal and remained undetected for extended periods, highlighting the effectiveness of the attackers’ evasion strategies.
Infection Mechanism
The attack begins with malicious advertisements on social media platforms, particularly Facebook. Threat actors use either compromised accounts or newly created profiles to promote fake cryptocurrency-related content. These advertisements employ sophisticated redirection mechanisms that filter targets based on IP address ranges and referrer information, displaying decoy websites to unwanted visitors while directing legitimate targets to convincing fake landing pages.
Advanced Infection Mechanism and Persistence Tactics
The infection chain demonstrates remarkable technical sophistication through its multi-component architecture that requires both malicious websites and installed components to function simultaneously.
When victims download what appears to be a legitimate MSI installer, the file invokes a CustomAction function that deploys several critical components, including TaskScheduler.dll for scheduled task creation and WMI.dll for system reconnaissance commands.
The malware establishes persistence through an ingenious scheduled task mechanism defined by XML payloads that trigger on specific Windows event log entries. This task executes encoded PowerShell scripts that first exclude the malware from Windows Defender scanning using commands like `Add-MpPreference -ExclusionProcess (Get-Process -PID $PID).MainModule.ModuleName -Force`, then initiates a PowerShell backdoor that maintains continuous communication with command and control servers.
Final Payload Delivery
The final payload delivery occurs through Node.js runtime archives containing the core JSCEAL malware as compiled JavaScript files. The malware establishes tRPC connections with command and control servers and deploys a local proxy that intercepts web traffic, injecting malicious scripts into banking and cryptocurrency websites in real-time. This Man-in-the-Browser functionality, combined with comprehensive data collection capabilities including keylogging, screenshot capture, and cryptocurrency wallet manipulation, makes JSCEAL a formidable threat to digital asset security.
Recommendations for Users
Given the sophisticated nature of the JSCEAL campaign, users are advised to exercise extreme caution when downloading cryptocurrency-related applications. It is crucial to verify the authenticity of the application and its source. Utilizing hardware wallets for storing cryptocurrencies and enabling ad blockers can provide additional layers of security. Staying informed about emerging threats and maintaining updated security software are essential steps in safeguarding digital assets against such advanced malware campaigns.
