Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal
Essential information
- Published
- 31/07/2025 09:54
- Modified
- 31/07/2025 11:17
- Tags
- 2025-07-31 cryptocurrency evasion fake apps jsc jsceal malvertising multi-stage node.js powershell stealer
- Related entities
- 200 observables, 13 techniques (mitre), 1 malware, 2 others
Description
A sophisticated malware campaign called JSCEAL is targeting cryptocurrency users through fake apps impersonating popular trading platforms. The attackers use malicious ads to lure victims into downloading installers that deploy a multi-stage infection chain. This includes PowerShell scripts for profiling and a final payload of compiled JavaScript (JSC) files executed via Node.js. The JSCEAL malware steals crypto-related data and credentials while employing advanced evasion techniques. The campaign has potentially reached millions of users across multiple countries, primarily targeting the cryptocurrency and financial sectors.