A new malware strain, identified as JSCEAL, is specifically targeting cryptocurrency users through malicious advertisements promoting counterfeit crypto applications.

This malware utilizes a modular infection process, employing Node.js to deploy compiled JavaScript files that ultimately lead to the installation of these fraudulent trading apps.

Cybersecurity researchers have uncovered a campaign distributing these fake cryptocurrency trading applications, which are capable of capturing user credentials and wallet data.

Victims are deceived into downloading an MSI installer that executes profiling scripts, gathering critical system information in preparation for the final malware payload.

Check Point emphasizes that the malware's modular functionality allows attackers to adapt their tactics and payloads throughout the infection process.

The attack method involves redirection from malicious ads to landing pages that host infected MSI installers, initiating staged attacks aimed at stealing user credentials and cryptocurrency assets.

JSCEAL features advanced anti-detection techniques, including script-based fingerprinting and obfuscation, which help it evade security measures and bypass traditional static analysis tools.

Between January and June 2025, approximately 35,000 malicious ads were served in the European Union, potentially reaching 3.5 million users, with the campaign's global reach estimated to exceed 10 million.

To combat this threat, Check Point Research advises cryptocurrency users to verify app authenticity, utilize advanced threat prevention tools, and refrain from engaging with suspicious advertisements.

Victims are directed to fake landing pages that mimic legitimate services, with redirection tactics tailored based on IP address and referrer.

Threat actors are impersonating nearly 50 reputable cryptocurrency platforms, including Binance and Revolut, to further deceive users into downloading these malware-laden applications.

The JSCEAL payload is specifically designed to steal sensitive cryptocurrency data, including user credentials and private keys, making it a significant threat to crypto users.