Cybersecurity News in Asia

RECENT STORIES:

SEGA moves faster with flow-based network monitoring
Cybersecurity tool sprawl: when too many cooks spoil the soup!
Sasken Partners with VicOne to Deliver End-to-End Automotive Cybersecu...
Ricoh named in TIME World’s Best Companies of 2025 for employee ...
SU Group Holdings Receives Notice of Delisting from Nasdaq Due to Mini...
Fescaro, TUV Nord join forces on auto cybersecurity compliance
LOGIN REGISTER
CybersecAsia
  • Features
    • Featured

      Cybersecurity tool sprawl: when too many cooks spoil the soup!

      Cybersecurity tool sprawl: when too many cooks spoil the soup!

      Monday, September 22, 2025, 5:16 PM Asia/Singapore | Features, Newsletter
    • Featured

      Combating the surge in Asia Pacific credential abuse and ransomware

      Combating the surge in Asia Pacific credential abuse and ransomware

      Wednesday, September 17, 2025, 5:06 PM Asia/Singapore | Features
    • Featured

      The rise of digital wallets: What businesses in APAC need to know

      The rise of digital wallets: What businesses in APAC need to know

      Tuesday, September 2, 2025, 1:59 PM Asia/Singapore | Features
  • Opinions
  • Tips
  • Whitepapers
  • Awards 2025
  • Directory
  • E-Learning

Select Page

News

Scammers are now hooking low-hanging bait with crypto malvertising

By CybersecAsia editors | Sunday, May 11, 2025, 11:31 PM Asia/Singapore

Scammers are now hooking low-hanging bait with crypto malvertising

They are deploying fake crypto ads, using stealthy malware, and spoof crypto-celebrities to lure victims with promises of quick riches.

According to the threat researchers from a cybersecurity firm, a persistent malvertising campaign is plaguing Facebook, leveraging the reputations of well-known cryptocurrency exchanges to lure victims into a maze of malware.

The threat involves the deployment of cleverly disguised front-end scripts and custom payloads on users’ devices, all under the guise of legitimate cryptocurrency platforms and influencers.

The malvertising campaign has been operating for several months, consistently producing new advertisements. It heavily leverages the imagery and trust associated with cryptocurrency brands, and it remains active with fresh ads appearing regularly.

Tactics used
The initial malware is allegedly delivered via covert communication between a malicious website’s front end and local host, a method that evades detection by most security vendors. By orchestrating malware deployment through a seemingly harmless intermediary, attackers remain stealthy. Next:

  • Hundreds of ads impersonating trusted cryptocurrency exchanges and trading platforms have been put online, to drastically increase the odds that potential victims will view the malicious ads and be convinced to interact with the prompts. The cybercriminals use Meta’s ad network to tout quick financial gains and crypto bonuses, with some ads seeking to bolster credibility by featuring the image of public figures such as Elon Musk or Cristiano Ronaldo.
  • Advanced tracking and evasion: The threat actors use sophisticated anti-sandbox checks, only delivering malware to users who meet specific demographic or behavioral profiles. Query parameters related to Facebook Ads are used to detect legitimate victims, while suspicious or automated analysis environments receive benign content. Any user who views a malicious ad is redirected to a website that impersonates a known cryptocurrency platform, with subsequent prompts to download a “desktop client”. However, if the site detects suspicious conditions (for example, missing ad-tracking parameters or an environment typical of automated security analysis), it displays harmless, unrelated content instead. Also, no malicious content will be displayed for users who loaded the website without the specific query parameters of the Facebook ads: some examples being utm_campaign, utm_content, fbid, cid. If the user is not logged into Facebook, or if the IP address and operating system do not interest the attackers, the website will not display malicious content.
  • Newer variants take a step further, prompting users to open the site using Microsoft Edge; opening it with other browsers leads to random, non-malicious content, further complicating detection efforts. One particularly deceptive instance is a Facebook clone that mirrors TradingView’s official Facebook page. From the profile pictures to posts and comments touting a free ‘Annual Ultimate Subscription’, everything is fabricated, except for the central buttons that redirect victims to the real Facebook website.
  • Researchers have uncovered hundreds of Facebook accounts promoting these malware-delivering pages, all pushing financial benefits. In one notable example, a single page ran over 100 ads in a single day (9 April, 2025). While many ads are quickly removed, some garner thousands of views before takedown. Targeting is frequently fine-tuned, such as focusing on men aged 18+ in Bulgaria and Slovakia — to maximize reach.
  • All analyzed malware samples had the name installer.msi and measured around 800KB. After installation, the malicious software would open the page of the impersonated entity through msedge_proxy.exe. Victims also receive a suspicious DLL file that launches a local .NET-based server on ports 30308 or 30303 (in a newer version). By dynamically adjusting to the victim’s environment and continuously updating payloads, the threat actors maintain a resilient, highly evasive operation. Multiple layers of obfuscation, sandbox checks, and real-time payload evolution make this campaign a sophisticated challenge for researchers and security providers. 

The threat researchers, hailing from Bitdefender Labs, have citing facing and uncovering multiple techniques that had prevented end-to-end analysis of the threat — from the measures taken on the malicious websites (displaying non-malicious content based on traffic metadata), to anti-sandbox actions (for example, the looped PowerShell task would not download the final payload in dynamic analysis environments).

Despite the sophistication and innovation of the campaign, immunization involves compliance with the golden rules of basic cybersecurity hygiene.

A typically alluring fake ad luring people to download sophisticated multi-stage malware

Share:

PreviousBeware the friendly widget bearing perks and convenience
NextDo not let hackers halt your plant: Checklists for reviewing OT cyber resilience

Related Posts

Juggling a distributed workforce amid heightened cyber risks: can it work?

Juggling a distributed workforce amid heightened cyber risks: can it work?

Tuesday, July 27, 2021

How WFH is making enterprises more security-conscious than ever before

How WFH is making enterprises more security-conscious than ever before

Friday, May 8, 2020

Fetch up to US0 per Gmail account login credential on the Dark Net

Fetch up to US$150 per Gmail account login credential on the Dark Net

Thursday, April 29, 2021

Corporate doxxing: The personal details you reveal could be doxxed against your organization

Corporate doxxing: The personal details you reveal could be doxxed against your organization

Wednesday, March 31, 2021

Leave a reply Cancel reply

You must be logged in to post a comment.

Voters-draw/RCA-Sponsors

Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
previous arrow
next arrow

CybersecAsia Voting Placement

Gamification listing or Participate Now

PARTICIPATE NOW

Vote Now -Placement(Google Ads)

Top-Sidebar-banner

Whitepapers

  • 2024 Insider Threat Report: Trends, Challenges, and Solutions

    2024 Insider Threat Report: Trends, Challenges, and Solutions

    Insider threats continue to be a major cybersecurity risk in 2024. Explore more insights on …Download Whitepaper
  • AI-Powered Cyber Ops: Redefining Cloud Security for 2025

    AI-Powered Cyber Ops: Redefining Cloud Security for 2025

    The future of cybersecurity is a perfect storm: AI-driven attacks, cloud expansion, and the convergence …Download Whitepaper
  • Data Management in the Age of Cloud and AI

    Data Management in the Age of Cloud and AI

    In today’s Asia Pacific business environment, organizations are leaning on hybrid multi-cloud infrastructures and advanced …Download Whitepaper
  • Mitigating Ransomware Risks with GRC Automation

    Mitigating Ransomware Risks with GRC Automation

    In today’s landscape, ransomware attacks pose significant threats to organizations of all sizes, with increasing …Download Whitepaper

Middle-sidebar-banner

Case Studies

  • CISOs can navigate emerging risks from autonomous AI with a new security framework

    CISOs can navigate emerging risks from autonomous AI with a new security framework

    See how security leaders can adopt layered strategies addressing intent, governance, and oversight to manage …Read more
  • MoneyMe strengthens fraud prevention and credit decisioning

    MoneyMe strengthens fraud prevention and credit decisioning

    Australian fintech strengthens risk management with SEON to scale lending operations securely and efficiently.Read more
  • PT Kereta Api Indonesia announces nationwide email and communication overhaul

    PT Kereta Api Indonesia announces nationwide email and communication overhaul

    The state railway operator’s upgraded email system improves privacy, operational reliability, and regulatory alignment for …Read more
  • Operationalizing sustainability in cybersecurity: Group-IB’s approach

    Operationalizing sustainability in cybersecurity: Group-IB’s approach

    See how the firm turned malware-group takedowns into measurements of sustainability and resilience gains: by …Read more

Bottom sidebar

  • Our Brands
  • DigiconAsia
  • MartechAsia
  • Home
  • About Us
  • Contact Us
  • Sitemap
  • Privacy & Cookies
  • Terms of Use
  • Advertising & Reprint Policy
  • Media Kit
  • Subscribe
  • Manage Subscriptions
  • Newsletter

Copyright © 2025 CybersecAsia All Rights Reserved.