Hackers are disguising malware as legit crypto trading tools, turning your curiosity about bitcoin into a full-blown system compromise.

Your next crypto download might not just drain your bank account, it could hijack your entire system.

In a growing campaign tracked by Microsoft since late 2024, threat actors are leaning into the popularity of cryptocurrency trading platforms to deliver malware through malvertising – fake ads and download links made to look like real software.

The attacks start with bogus ads that bait victims with flashy crypto download links – such as fake Binance or TradingView installers.

It works simply like this. Imagine you’re searching for a crypto tool and stumble across a seemingly legit download link.

Maybe it looks like a premium installer. Maybe it's a slick "boosted" ad on a shady site. Either way, you click, download, and launch. But instead of getting a trading app, you just ran a malicious installer.

Don’t miss our latest stories on Google News

Follow us

Once the victim clicks on a malicious link, a sneaky DLL is dropped behind the scenes. It scrapes system info– everything from your Windows system details to your BIOS, GPU, and processor info. It also creates backdoors and phones home to attacker-controlled servers.

Once inside, the attackers download Node.js, the beloved runtime of developers everywhere, along with malicious scripts that dig into your browser data, network connections, and maybe even your saved passwords.

Making matters worse, the malware does its job silently. It sets up scheduled PowerShell tasks that hide from security tools, ensuring that even follow-up payloads can execute without tripping alarms.

Then it disables proxy settings, manipulates registry keys, adds rogue certificates, and even collects browser-stored credentials – all while pretending to be that helpful crypto app you thought you downloaded.

How to stay safe?

1. Only download from verified sources

If you're downloading trading software, go straight to the source. That means official websites or trusted app stores – not search ads, shady forums, or third-party links floating around Reddit.

2. Ignore the FOMO

If it looks too good to be true – like a “pro” version of a crypto app or a slick new tool promising faster trades – it probably is. Hackers know you’re impulsive when money's involved, and they count on it.

3. Double check installers

Before you open any installer, inspect the file name, digital signature, and where it came from. If your browser flagged it or Windows gives you that “are you sure?” message – listen.

4. Watch for weird behavior

Slower system? Random pop-ups? PowerShell windows flashing open? These could be signs that something sketchy is running in the background.

5. Lock down Node.js

Unless you’re a developer, Node.js shouldn’t be running on your system. Block or monitor node.exe processes in your security tools – and if it starts by itself? You’ve got a problem.

6. Turn on real security tools

Use a solid endpoint protection tool, enable cloud-delivered antivirus, and don’t just rely on built-in Windows Defender settings. Set your firewall to block unknown or unverified domains.

7. Keep software updated

Patching isn’t sexy, but it stops a lot of attacks dead in their tracks. Keep your OS, browsers, and security tools current.