Cybersecurity researchers are calling attention to an ongoing campaign that distributes fake cryptocurrency trading apps to deploy a compiled V8 JavaScript (JSC) malware called JSCEAL that can capture data such as credentials and wallets.
The activity leverages thousands of malicious advertisements posted on Facebook in an attempt to redirect unsuspecting victims to counterfeit sites that instruct them to install the bogus apps, according to Check Point. These ads are shared either via stolen accounts or newly created ones.
“The actors separate the installer’s functionality into different components and most notably move some functionality to the JavaScript files inside the infected websites,” the company said in an analysis. “A modular, multi-layered infection flow enables the attackers to adapt new tactics and payloads at every stage of the operation.”
It’s worth noting that some aspects of the activity were previously documented by Microsoft in April 2025 and WithSecure as recently as this month, with the latter tracking it as WEEVILPROXY. According to the Finnish security vendor, the campaign has been active since March 2024.
The attack chains have been found to adopt novel anti-analysis mechanisms that rely on script-based fingerprinting, before delivering the final JSC payload.
Source: The Hacker News