Cybersecurity experts are warning about a sophisticated malware campaign that is distributing fake cryptocurrency trading applications to deploy a powerful JavaScript-based malware variant known as JSCEAL. This malware is capable of stealing sensitive user data, including login credentials, browser cookies, wallets, and even Telegram account details.
According to a recent analysis by Check Point, the campaign uses malicious Facebook ads to lure users to counterfeit websites that encourage them to download these rogue apps. The attackers often utilize both compromised and newly created Facebook accounts to run the ads, which mimic popular platforms like TradingView.
“The actors separate the installer’s functionality into different components and most notably move some functionality to the JavaScript files inside the infected websites,” Check Point said. This modular architecture allows attackers to dynamically alter tactics and payloads throughout the attack chain.
The campaign, active since at least March 2024, was previously highlighted by Microsoft in April 2025 and WithSecure, which tracks it as WEEVILPROXY. It includes advanced anti-analysis techniques, such as JavaScript-based fingerprinting, and a mechanism requiring both the infected website and installer to be active simultaneously—complicating detection and reverse engineering.
When a victim clicks the Facebook ad, they’re funneled through a redirection sequence to a fake landing page resembling legitimate crypto services. If the visitor’s IP address doesn’t meet specific conditions or if the referral isn’t from Facebook, they’re shown a decoy site instead. Meanwhile, the site hosts JavaScript files that attempt to connect to localhost on port 30303, initiating the malware deployment sequence.
The downloaded MSI installer unpacks several DLL files and launches msedge_proxy.exe to show the real website, masking suspicious behavior. These DLLs handle POST requests from the website, extract system information, and send it back via a PowerShell-based backdoor.
If the system appears valuable, the final JSCEAL malware is deployed using Node.js. It then sets up a local proxy to intercept user traffic, insert malicious scripts into banking and crypto websites, and capture data in real time. JSCEAL also performs keystroke logging, screenshot capture, AitM attacks, and can act as a full remote access trojan (RAT).
“This sophisticated piece of malware is designed to gain absolute control of the victim machine, while being resilient against conventional security tools,” Check Point added. Its compiled and obfuscated JavaScript code makes it particularly difficult to detect and analyze.
