It starts with an ad. The branding looks familiar; Coinbase, Binance, OKX. The ad promises fast trading, high returns, or access to a new crypto platform. Click it, and you’re sent through a maze of redirects. At the end is a download: a Windows installer in .msi format.
Behind this is JSCEAL, a malware campaign that’s been quietly active since March last year. It doesn’t use zero-days because it doesn’t need to. It hides in plain sight, behind sponsored ads and familiar logos.
Check Point Research uncovered the campaign after tracking a spike in crypto-related malware infections across Europe. Their investigation points to a well-resourced threat actor using paid malvertising to deliver compiled JavaScript payloads designed to steal wallets, credentials, and session data.
A Three-Stage Infection
JSCEAL unfolds in phases. Each one builds on the last.
Stage 1: The installer. It’s hosted on a fake landing page cloned to look like a crypto exchange. The site appears trustworthy. Users are prompted to download a Windows installer. No antivirus warning.
Stage 2: Profiling. The installer runs scripts that probe the system. PowerShell commands collect machine data, installed applications, and user profiles. This helps the malware tailor its behavior. The profiling data is quietly exfiltrated.
Stage 3: The payload. The final stage is a compiled JavaScript file, specifically, a JSC file compiled via Google’s V8 engine. It executes through Node.js, bypassing many detection tools. Once active, it targets stored credentials, wallets, and session tokens related to cryptocurrency apps.
“JSCEAL uses techniques that many endpoint solutions aren’t yet built to catch,” said researchers at Check Point.
The use of compiled JSC makes the malware harder to analyze. Static detection tools struggle. The modular structure means attackers can swap in new payloads or behaviors without rewriting the whole toolset.
Reach and Impact
Between January and June 2025, Check Point estimates over 35,000 malicious ads linked to JSCEAL were served in the EU. That’s a conservative number. Using Facebook Ad Library data, researchers estimate the campaign may have reached 3.5 million users in Europe alone.
The global reach is likely above 10 million.
Despite increased detection efforts, many variants remain undetected. The attackers continue to update the payload and refine their evasion tactics.
Clean, Modular Malware
JSCEAL is a warning about where malware is heading. It’s clean, modular, and delivered through mainstream platforms. It doesn’t rely on obscure exploits, just trust, design, and user habits.
Malvertising remains an effective vector. Compiled JavaScript adds a layer of stealth. Together, they make for a potent combination.
Check Point recommends avoiding crypto app downloads from ad links. Stick to official sources. Use endpoint security tools with behavioral analysis, not just signature detection.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.