Particle.news

Download on the App Store

JSCEAL Campaign Uses Compiled JavaScript to Infect Millions of Crypto Users

Check Point’s July 30 analysis details how Facebook ads hide malicious code behind fake domains to evade antivirus detection

Image
cropped-crypto-news-hack-scam-option08.webp
Image

Overview

  • Check Point researchers expose use of compiled V8 JavaScript (JSC) files to obfuscate malware code and bypass static analysis.
  • Infection flows rely on multi-stage MSI installers that run profiling scripts, exfiltrate system data via PowerShell and deploy the JSCEAL payload through Node.js.
  • Campaign operators purchase thousands of Facebook ads to promote counterfeit exchange and wallet apps, reaching an estimated 3.5 million users in the EU and over 10 million globally.
  • Latest findings reveal acquisition of dozens of domains impersonating more than 50 major crypto platforms to trick victims into installing malicious applications.
  • Check Point warns that JSCEAL remains active at scale and urges users to update antivirus solutions and verify app sources before downloading.