Cybersecurity experts have warned of another malware-spreading campaign designed to trick crypto users into installing malicious apps and steal their assets.
According to Check Point Research (CPR), the campaign, called JSCEAL, first mentioned by Microsoft Defender Experts, has been active since at least March 2024 and leverages malicious advertisements that impersonate almost 50 common crypto trading apps.
"During the first half of 2025, threat actors promoted around 35,000 malicious advertisements, which led to a few million views in the EU alone," the researchers said, adding that, once installed, this malware steals crypto-related data such as credentials and wallets.
While there are no exact estimations about the potential losses this campaign might have caused, the researchers suggest that it "has had a significant impact." Moreover, it's still ongoing, targeting cryptoasset users in other regions, which potentially pushes its global reach beyond 10 million.
Meanwhile, JSCEAL has also evolved over time. For example, its latest version has "unique anti-analysis mechanisms" that, in combination with other techniques, lead to "extremely low detection rates."
"During our analysis, hundreds of samples associated with this activity were submitted to VirusTotal and were undetected for a prolonged period of time," CPR said. However, as parts of the campaign were exposed, some of its components were recently flagged as malicious.
In either case, according to the researchers, among the other campaigns that use JavaScriptCore (JSC) files, the JSCEAL campaign stands out for its scale, reach, and technical sophistication.
The research has shown that the criminals obtained "a large number" of domains and adopted distinctive techniques to evade detection, including sometimes avoiding deploying the final payload.
"After the victim clicks the link, a first layer of filtering is applied – meaning not every target is redirected to the fake webpage. If the target’s IP address is not within the desired range, or the referrer is not Facebook, a decoy website is displayed instead," CPR noted.
However, if the criteria are met, the potential victim is sent to a fake website in an attempt to trick them into downloading a malicious app. What's more, the researchers have found that to ensure the potential victim does not suspect anything, the installer opens a webview using msedge_proxy.exe to direct the victim to the legitimate website of the application.
"The JSCEAL payload we observed is part of a larger trend involving the usage of JSC-based payloads. Although these kinds of payloads have a low detection rate, they still depend on legitimate frameworks that can be monitored by security solutions," the researchers concluded.
Your email address will not be published. Required fields are markedmarked