Overview
- Check Point researchers expose use of compiled V8 JavaScript (JSC) files to obfuscate malware code and bypass static analysis.
- Infection flows rely on multi-stage MSI installers that run profiling scripts, exfiltrate system data via PowerShell and deploy the JSCEAL payload through Node.js.
- Campaign operators purchase thousands of Facebook ads to promote counterfeit exchange and wallet apps, reaching an estimated 3.5 million users in the EU and over 10 million globally.
- Latest findings reveal acquisition of dozens of domains impersonating more than 50 major crypto platforms to trick victims into installing malicious applications.
- Check Point warns that JSCEAL remains active at scale and urges users to update antivirus solutions and verify app sources before downloading.