A sophisticated new malware campaign, dubbed JSCEAL, is actively targeting cryptocurrency application users by hijacking credentials and crypto wallets, researchers from Check Point Research (CPR) revealed.
Beginning in March 2024, the operation has rapidly evolved, leveraging compiled JavaScript payloads, advanced anti-analysis techniques, and large-scale social media malvertising to stay undetected and compromise unsuspecting victims.
Malvertising and Multi-Layered Infection Chain
JSCEAL’s infection chain begins with targeted social media ads, especially on Facebook, impersonating nearly 50 reputable cryptocurrency and financial institutions.
Users clicking on these ads are lured to fake websites mimicking genuine crypto trading platforms, where they’re prompted to install a seemingly legitimate MSI installer.
Notably, the campaign operates a sprawling infrastructure of domains for redirection, frequently filtering out non-targets to further evade detection.
What sets JSCEAL apart is its modular and interdependent infection flow. The installer’s components deliberately split functionality: some run on the victim’s machine, while critical JavaScript code executes directly from the infected website.
Installation only succeeds if both components, the site and the installer, are running in parallel, greatly complicating forensic analysis.
Node. Js-Powered Compiled JavaScript Malware
Once deployed, the installer launches local HTTP listeners and executes PowerShell scripts to gather victim information, evade Windows Defender, and communicate with command-and-control (C2) servers.
If the attackers determine a machine is valuable, a final payload is delivered: a Node.js runtime bundled with a compiled JavaScript (JSC) file, JSCEAL itself masked within encrypted ZIP archives.
JSCEAL leverages Google V8’s lesser-known ability to compile JavaScript into low-level bytecode, escaped further by obfuscation tools.
It connects to C2 servers via DNS-over-HTTPS, opening persistent channels for attacker commands.
Its capabilities resemble advanced banking trojans: JSCEAL can steal browser credentials, cookies, and Telegram accounts, perform keylogging, manipulate crypto wallet data, record screenshots, and inject scripts into sensitive websites for real-time credential theft.
Moreover, JSCEAL establishes a local proxy, installs rogue certificates, and extensively automates web interactions using embedded Node modules and Puppeteer, making it a powerful tool for both information theft and remote control.
Low Detection Rates and Significant Global Impact
Despite the campaign’s scale, with an estimated 3.5 million users exposed in the EU alone, JSCEAL’s use of compiled and obfuscated JavaScript has resulted in extremely low detection rates by traditional antivirus tools.
Most malicious files remained undetected in VirusTotal submissions for extended periods.
As cryptocurrency adoption continues to rise, this campaign underscores the growing threat of sophisticated malware exploiting trusted platforms and evasive code techniques to target digital assets.
Security experts recommend heightened scrutiny of social media ads and careful verification of crypto application downloads.
