Antivirus

Major new malware strain targets crypto users via malicious ads – here’s what we know, and how to stay safe

Check Point finds thousands of ads promoting fake crypto apps The apps come with an infostealer malware targeting users The infostealer can bypass most antivirus protections Cryptocurrency users are being targeted by a highly sophisticated, widespread cybercriminal campaign with the goal of deploying malware capable of grabbing exchange and wallet information, essentially robbing the people

Published 4 weeks ago in
Major new malware strain targets crypto users via malicious ads – here’s what we know, and how to stay safe
  • Check Point finds thousands of ads promoting fake crypto apps
  • The apps come with an infostealer malware targeting users
  • The infostealer can bypass most antivirus protections

Cryptocurrency users are being targeted by a highly sophisticated, widespread cybercriminal campaign with the goal of deploying malware capable of grabbing exchange and wallet information, essentially robbing the people of their tokens, experts from Check Point have warned.

Apparently active since March 2024, what makes this campaign, dubbed JSCEAL by the researchers, unique is the use of compiled JavaScript files (JSC), which allows the malware to remain hidden from most traditional antivirus solutions.

The criminals created fake cryptocurrency exchange and wallet apps, which come with an infostealer. They also created websites to host these apps, and managed to purchase thousands of advertisements on the internet to promote the scam. Check Point says that just in the European Union (EU), 35,000 malicious ads were served between January and June 2025.

You may like

  • Cryptocurrencies Criminals are targeting Bitcoin owners on Facebook with a multi-stage malware campaign – follow these steps to stay safe
  • Scam alert Stop using these 22 Android crypto and wallet apps ASAP, or you risk losing all your cryptocurrency
  • Ledger Lifestyle Image Mac users beware – fake Ledger apps are being used by hackers to steal seed phrases and hack accounts

JSCEAL malware

“The use of Facebook’s Ad Library enabled us to estimate the campaign’s reach, while in a very conservative approach we can estimate the total reach of the malvertising campaign at 3.5 million users within the EU alone, and likely above 10 million users worldwide,” the researchers explained.

People who fall for the scam download an MSI installer which triggers “a sequence of profiling scripts” that gather critical system information. These scripts also use PowerShell commands to collect and exfiltrate data, in preparation of the final payload deployment.

This final payload is the JSCEAL malware, which steals crypto-related data such as credentials and private keys. The payload is executed through Node.js, it was said.

What makes this malware particularly dangerous is the use of compiled JavaScript files.

Read More

Be the first to write a comment.

Leave a Reply

Your email address will not be published. Required fields are marked *

Antivirus

Don’t fall for McAfee’s tricky antivirus warnings on your laptop

I review a lot of laptops and I’ve noticed many of them come with a “free trial” of McAfee antivirus preinstalled. I’ve clicked through so many warnings about how my PC will be “at risk” unless I pay up for extended protection, and those McAfee alerts are in a stark red color that’s surely designed

Published 2 days ago in
Don’t fall for McAfee’s tricky antivirus warnings on your laptop

I review a lot of laptops and I’ve noticed many of them come with a “free trial” of McAfee antivirus preinstalled. I’ve clicked through so many warnings about how my PC will be “at risk” unless I pay up for extended protection, and those McAfee alerts are in a stark red color that’s surely designed to scare me…
Read More

Continue Reading
Antivirus

This antivirus actually respects your Mac

Macworld Mac users, we get it—you don’t like bloated, ugly antivirus software slowing down your beautifully tuned machines. But you also don’t want to be the one person who ignores modern cyber threats just because “Macs don’t get viruses.” Spoiler: they can and they do. If you’re looking for a lightweight…

Published 6 days ago in
This antivirus actually respects your Mac

Macworld

Mac users, we get it—you don’t like bloated, ugly antivirus software slowing down your beautifully tuned machines. But you also don’t want to be the one person who ignores modern cyber threats just because “Macs don’t get viruses.” Spoiler: they can and they do.

If you’re looking for a lightweight…
Read More

Continue Reading
Antivirus

I tested the best antivirus software for Windows: Here’s what I’d use to protect my PC

ZDNET tested the best antivirus software on the market that supports multiple operating systems, VPNS, and robust protection…

Published 6 days ago in
I tested the best antivirus software for Windows: Here’s what I’d use to protect my PC

ZDNET tested the best antivirus software on the market that supports multiple operating systems, VPNS, and robust protection…
Read More

Continue Reading
Antivirus

Your antivirus is under attack from new “killer” tool – here’s what we know

EDRKillShifter is getting a dangerous upgrade The new malware can disable AV and EDR from reputable vendors Sophos, Bitdefender, and Kaspersky among the tools being targeted Cybercriminals appear to have improved their antivirus-killing capabilities, as recent research suggest a new tool being shared within the underground community. In a new report, security researchers from Sophos

Published 2 weeks ago in
Your antivirus is under attack from new “killer” tool – here’s what we know
  • EDRKillShifter is getting a dangerous upgrade
  • The new malware can disable AV and EDR from reputable vendors
  • Sophos, Bitdefender, and Kaspersky among the tools being targeted

Cybercriminals appear to have improved their antivirus-killing capabilities, as recent research suggest a new tool being shared within the underground community.

In a new report, security researchers from Sophos said multiple ransomware groups are successfully disabling endpoint detection and response (EDR) systems before deploying the encryptor.

Originally, the group known as RansomHub developed a tool called EDRKillShifter, which Sophos says is now made obsolete thanks to this new and improved variant. The new tool can disable security software from multiple high-end vendors such as Sophos, Bitdefender, and Kaspersky.

You may like

  • ransomware avast This devious ransomware is able to hijack your system to turn off antivirus
  • A robot hand touching a locked digital shield blocking a human from accessing data Hackers can turn off Windows Defender with this sneaky new tool
  • A digital representation of a lock This top security platform is being hacked to carry out malware threats

Shifting strategies

The malware is often packed using a service called HeartCrypt, which obfuscates the code to evade detection.

Sophos found the attackers are using all sorts of obfuscation and anti-analysis techniques to protect their tools from security defenders, and in some cases, they’re even using signed drivers (either stolen or compromised).

In one case, the malicious code was embedded inside a legitimate utility, Beyond Compare’s Clipboard Compare tool, the researchers explained.

Sophos also said that multiple ransomware groups are using this new EDR-killing tool, suggesting a high level of collaboration between players.

EDRKillShifter was first spotted in mid-2024, after a failed attempt to disable an antivirus and deploy ransomware.

Sophos then uncovered that the malware dropped a legitimate, but vulnerable driver.

Now, it seems there is a new method – taking an already legitimate executable and modifying it locally by inserting malicious code and payload resources (as was the case with Beyond Compare’s tool). This is often done after the attacker has access to a

Read More

Continue Reading