Ddos 
In a newly report, Bitdefender Labs has revealed a persistent and evolving malvertising campaign operating through Facebook Ads, targeting users with interests in cryptocurrency. The attackers use fake trading platforms and celebrity endorsements to lure victims into downloading a malware-laced “desktop client” from what appears to be legitimate crypto services like Binance, TradingView, or MetaMask.
The attack begins with Facebook ads promoting fake giveaways or investment tools. Some impersonate official brand pages—down to cloned TradingView Facebook profiles—while others exploit names like Elon Musk, Zendaya, or Cristiano Ronaldo, with whom Binance has NFT partnerships.
Users clicking these ads are redirected to convincing lookalike websites that prompt them to download an installer (e.g., installer.msi). But there’s a catch—malware is only served to users who meet the attacker’s specific behavioral and demographic filters.
“If the victim does not fit the behavioral profile… the website will not display malicious content. Users will be served with unrelated content instead,” the report stated.
The campaign’s evasion tactics are notably advanced. The malicious site checks for specific Facebook ad tracking parameters (e.g., utm_campaign, fbid, cid) and even filters based on browser, recommending Microsoft Edge for optimal infection.
Once conditions are met, the installer plants a malicious DLL and launches a localhost server on ports 30308 or 30303, evading external network detection. A shared front-end script silently communicates with this server to carry out the actual malware deployment.
The attackers employ WMI queries to fingerprint the system and use the /set and /query routes to execute commands or schedule tasks through Windows Task Scheduler. This is just the beginning. Once the system is profiled:
- Encoded PowerShell scripts are deployed
- Second-stage payloads are fetched from hardcoded C2 servers
- Malware exfiltrates system info, location, GPU data, OS/BIOS details
- In sandbox environments, the payload enters an endless sleep state to evade detection
In some cases, the campaign escalates to downloading Node.js environments, .jsc files, and additional binaries.
Bitdefender describes this attack as a hybrid threat, combining front-end deception with back-end localhost orchestration. It bypasses defenses, tailors infections per user, and continuously evolves.
“Throughout the analysis we have faced and uncovered multiple techniques that prevent end-to-end analysis of the threat…,” the report concluded.
Donate