JSCEAL Targets Crypto App Users – A New Threat in the Cyber Security Landscape

Key Points:

• Check Point Research has discovered the JSCEAL campaign, which targets crypto app users by leveraging malicious advertisements
• The campaign uses fake applications impersonating popular cryptocurrency trading apps, with over 35,000 malicious ads served in the first half of 2025, generating millions of impressions in the EU alone
• JSCEAL malware, which is delivered through sophisticated multi-layered infection flows, steals cryptocurrency-related data like credentials and wallets, making it a serious threat to crypto app users
• The campaign utilizes a modular structure, enabling attackers to adapt new tactics and payloads as needed, making it difficult for traditional security mechanisms to detect and prevent

Introduction

At Check Point, we continuously monitor emerging cyber security threats to help protect our users from evolving risks. In this blog, we delve into the JSCEAL campaign, which has been actively targeting crypto app users since March 2024. By utilizing advanced tactics and leveraging malicious advertisements, this campaign has been highly successful in evading detection and distributing a sophisticated malware payload.

JSCEAL, which impersonates popular crypto trading apps, is particularly concerning because it employs compiled JavaScript files (JSC), a technique that allows malware to remain hidden from traditional security solutions. This blog highlights the technical aspects of the JSCEAL attack chain and explores its impact.

Background

The JSCEAL campaign uses compiled V8 JavaScript (JSC) files, a lesser-known feature of Google’s V8 engine that enables code obfuscation and evasion of static analysis. This innovative technique allows attackers to bypass detection systems, making it extremely challenging to detect the malicious code until it executes. JSCEAL is notable for its scale, technical complexity, and persistence, having evolved significantly since its discovery.

Our team has observed this campaign’s impressive growth, with several thousand malicious ads promoting fake crypto apps and leading unsuspecting users to download the malware-laced installers. Despite being detected and analyzed, many versions of the malware remain undetected by common security tools.

Infection Chain

JSCEAL operates in three key stages: Initial Deployment, Profiling Scripts, and the Final JSC Payload. The campaign starts with malicious advertisements that lead users to download MSI installers from fake websites. These installers rely on a complex system that combines JavaScript and MSI components, making it challenging to analyze and detect in isolation.

Stage 1: Initial Deployment
The campaign begins with paid malvertising on social media, where attackers impersonate crypto apps and financial institutions to lure users. Once users click on these ads, they are redirected through multiple layers of redirection to a fake landing page that prompts them to download an MSI installer.

Stage 2: Profiling Scripts
Upon execution, the MSI installer triggers a sequence of profiling scripts that gather critical system information, such as machine data, installed software, and user configurations. These scripts use PowerShell commands to collect and exfiltrate the data, preparing the system for the final payload.

Stage 3: Final JSC Payload
The final stage involves the deployment of the JSCEAL malware, which steals sensitive cryptocurrency-related information, including credentials and wallets. The payload is executed through Node.js, a framework that allows the malware to bypass detection by conventional security systems.

Abstract Infection Flow

Scope of the Campaign

The reach of the JSCEAL campaign has been extensive, particularly within the EU, where an estimated 35,000 malicious ads were served between January and June 2025. This number does not account for non-EU countries, indicating the global scale of the threat. The use of Facebook’s Ad Library enabled us to estimate the campaign’s reach, while in a very conservative approach we can estimate the total reach of the malvertising campaign at 3.5 million users within the EU alone, and likely above 10 million users worldwide.

Key Takeaways

JSCEAL represents a significant step forward in how cybercriminals use legitimate platforms to conduct attacks. By using JSC payloads, attackers can effectively hide their code and evade security solutions, making it harder to detect the attack early. The ability of JSCEAL to gather and exfiltrate sensitive data from crypto users highlights the need for stronger security measures for cryptocurrency platforms and their users.

Conclusion

Cybercriminals continue to leverage sophisticated tactics to target users of popular applications, with the JSCEAL campaign serving as a prime example of this trend. As attackers adopt more advanced techniques such as compiled JavaScript and Node.js, traditional security measures are increasingly challenged. However, with the right security tools and proactive defense strategies, organizations can better defend against these evolving threats.

Protections

Check Point’s Threat Emulation and Harmony Endpoint solutions provide robust protection against the tactics and threats described in this post. These tools are designed to detect and block JSCEAL-like attacks, ensuring that both individual users and organizations are protected against this and similar emerging threats.

For a deeper dive, read the report here.