JSCEAL Malware Unmasked: Check Point Reveals Massive Campaign Targeting Crypto Users via Malvertising & Node.js

In a major cybersecurity revelation, Check Point Research (CPR) has disclosed the full scale of a stealthy malware campaign dubbed “JSCEAL,” which has been aggressively targeting cryptocurrency users across the globe through a combination of malvertising, fake apps, and compiled JavaScript payloads.

“JSCEAL, a campaign targeting crypto app users, leverages malicious advertisements to lure victims to install fake applications which impersonate almost 50 common cryptocurrency trading apps,” CPR reported.

JSCEAL is no small operation. CPR’s investigation revealed that during the first half of 2025 alone, threat actors behind the campaign launched approximately 35,000 malicious advertisements with a potential reach of over 3.5 million users in the EU, suggesting the global impact could easily exceed 10 million views.

These ads mimic the branding of popular cryptocurrency platforms like TradingView, luring unsuspecting users to malicious MSI installers hosted on convincingly fake websites.

The infection process is multi-layered and tightly orchestrated, involving:

• Malicious Ads on social media.
• Redirect Chains through uniquely patterned domains.
• Decoy and Fake Landing Pages to trick users into downloading malware.
• Installer-Wrapped Payloads which require the fake website to be open during installation—an advanced evasion technique.

“The fake website is essential for the installer to function. The infection flow cannot proceed without it, and any static analysis of the installer alone will be inconclusive,” CPR explained.

The malicious installer sets up local HTTP listeners on port 30303 and uses PowerShell scripts to register the victim, disable Windows Defender protections, and initiate profiling of the system environment.

At the heart of this campaign is JSCEAL, a malware payload written in compiled V8 JavaScript (JSC) and delivered through Node.js. This payload is heavily obfuscated, modular, and resilient against static detection.

“The final, and most interesting payloads… are compiled JavaScript files (JSC)… designed to gain absolute control of the victim machine, while being resilient against conventional security tools,” the report noted.

JSCEAL’s capabilities include:

• Keylogging and clipboard hijacking
• Stealing cookies, passwords, and wallet information
• Puppeteer-based browser automation
• Real-time credential interception via Man-in-the-Browser attacks
• Proxying user traffic with malicious certificate injection

CPR highlights how the attackers abused PostHog, Google Analytics, and Meta Pixel to track victims, and even used valid digital certificates from unsuspecting Russian businesses to sign malware components.

“Interestingly, most of the installers (and DLLs inside the installers) are signed by valid certificates… belonging to Russian non-IT related companies,” CPR observed.

The JSCEAL campaign represents a turning point in how attackers combine malvertising, compiled JavaScript, Node.js, and social engineering into a seamless threat delivery platform.

Check Point concludes:

“Cybercrime actors continue to weaponize legitimate applications and platforms… Using JSC files allows attackers to simply and effectively conceal their code, helping it evade security mechanisms, and making it difficult to analyze.”

As compiled JavaScript becomes a go-to tool for malware authors, defenders must adapt quickly. JSCEAL shows that malware detection is no longer about just looking at binaries—it’s about dissecting entire execution environments.

Related Posts:

• Outdated and Unblocked: Legacy Driver Vulnerability Exploited in Widespread Attack
• Evil Ant Ransomware Exposed: Flaw Offers Recovery Hope
• GitHub Vulnerability and SEO Manipulation Facilitate Game Cheat Malware Distribution