A persistent and technologically advanced malvertising campaign is actively exploiting Facebook’s advertising platform, with cybercriminals impersonating trusted cryptocurrency exchanges to ensnare unsuspecting users in a web of malware.

According to a detailed investigation by Bitdefender Labs, this campaign has evolved into a formidable threat, deploying complex front-end scripts, strategic back-end payloads, and dynamic user-tracking mechanisms designed to evade both user suspicion and security countermeasures.

Multi-Layered Attack Tactics and Techniques

The campaign, reportedly ongoing for several months, bombards Facebook with a constant stream of fresh, seemingly legitimate ads that capitalize on the brand equity of high-profile cryptocurrency platforms such as Binance and TradingView.

These ads, often enhanced with endorsements from influencers or celebrities like Elon Musk and Cristiano Ronaldo, promise lucrative financial opportunities or exclusive crypto bonuses.

Unsuspecting users who click through are redirected to meticulously crafted phishing websites, which not only closely mimic the appearance of the targeted exchanges but also instruct users to download a “desktop client”-the entry point for malware infection.

Central to the campaign’s stealth is the collaboration between the phishing site’s front-end and a local host on the victim’s machine.

This architecture enables malicious payloads to be delivered covertly, often bypassing traditional endpoint security and sandbox analysis.

The actors employ rigorous anti-analysis checks, leveraging unique Facebook Ad query parameters to ensure malware is only served to valid targets, while automated or suspicious environments receive innocuous content.

Moreover, the campaign utilizes granular demographic filtering, often targeting males with an interest in technology and cryptocurrencies, and tailors its infection chain to regional preferences, such as a notable focus on users in Bulgaria and Slovakia.

Malware Deployment and Command Techniques

Once the victim proceeds to install the disguised application, typically named installer.msi, the malware further executes processes via legitimate system binaries (e.g., msedge_proxy.exe) and deploys a malicious DLL.

This component establishes a local .NET-based server, typically on ports 30308 or 30303, which acts as the command hub for the compromised host.

Through exposed routes-/set and /query-this local server enables remote payload execution and targeted data exfiltration, including the collection of system fingerprints, installed software, GPU information, geographic data, and OS or BIOS details via WMI queries.

In an additional layer of sophistication, the malicious front-end script creates a JavaScript SharedWorker that communicates directly with the local server, orchestrating further payload delivery and dynamically executing PowerShell scripts.

These scripts establish persistent connections to attacker-controlled command-and-control (C2) infrastructure, enabling ongoing retrieval and execution of additional malicious payloads.

If the victim environment matches criteria suggestive of automated analysis or a sandbox, the scripts may execute only benign commands-such as indefinitely sleeping processes-to frustrate security researchers and delay detection.

The scale of this operation is significant, with hundreds of Facebook accounts propagating thousands of malvertising campaigns.

Some accounts have managed to post over a hundred ads in a single day, accruing thousands of impressions before takedown.

Despite Facebook’s efforts to remove harmful content, the campaign’s adaptive infrastructure, rapid renewal of malicious ads, and exploitation of Facebook’s powerful targeting tools have enabled it to persist and evolve.

According to the Report, Bitdefender’s research indicates only a few security platforms currently detect the full scope of this campaign, as it combines sophisticated social engineering, technical obfuscation, and multi-stage payloads.

The attackers’ use of sandbox and traffic metadata checks, multiple infection vectors, and real-time payload updates presents a significant challenge for security professionals.

Ultimately, this campaign underscores the heightened risks posed by the intersection of social media advertising, cryptocurrency hype, and advanced cybercriminal tactics.

Organizations and individuals are urged to remain vigilant, apply robust endpoint protections, and treat unsolicited offers-especially those involving crypto platforms on social media-with extreme caution.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post Cybercriminals Exploit Facebook Ads to Launch Sophisticated Multi-Stage Malware Campaigns appeared first on Cyber Security News.

Cybercriminals are increasingly impersonating IT support personnel and trusted authorities to manipulate victims into granting access to critical systems, according to recent analyses by cybersecurity experts. This tactic exploits inherent human tendencies to defer to perceived authority figures, enabling attackers to bypass technical defenses by leveraging psychological vulnerabilities. The shift underscores the growing sophistication of […]

The post Cyberattackers Targeting IT Help Desks for Initial Breach appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Ascension, one of the largest private healthcare systems in the United States, has revealed that the personal and healthcare information of over 430,000 patients was exposed in a data breach disclosed last month. [...]

A joint U.S.-Dutch law enforcement operation has taken down a botnet-for-hire that was comprised of thousands of end-of-life routers. The U.S. Department of Justice (DOJ) announcement came two days after an FBI alert warning about the Anyproxy.net and 5socks.net botnets and urging users to replace vulnerable internet routers or disable remote administration. In addition to a domain seizure warrant for Anyproxy.net and 5socks.net, the DOJ also announced the unsealing of an indictment charging four foreign nationals with conspiracy and other alleged computer crimes for operating the botnets.

More Than 7,0000 End-Of-Life Routers in Botnet

The Indictment alleges that the botnet was created by infecting older-model wireless internet routers worldwide. The malware allowed the routers to grant unauthorized access to third parties and made them available for sale as proxy servers on the Anyproxy and 5socks websites. Both website domains were managed by a company headquartered in Virginia and hosted on computer servers worldwide, the DOJ alleges. Court documents revealed that the 5socks.net website advertised more than 7,000 proxies for sale worldwide. Users paid a monthly subscription fee ranging from $9.95 to $110 per month. The DOJ said the website's slogan – “Working since 2004!” – suggests that the service had been available for more than 20 years. Russian nationals Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin, and Dmitriy Rubtsov, a Kazakhstani national, were charged with Conspiracy and Damage to Protected Computers for conspiring with others to maintain, operate, and profit from the botnet services. Chertkov and Rubtsov were also charged with False Registration of a Domain Name for allegedly falsely identifying themselves when they registered and used the domains Anyproxy.net and 5socks.net. The DOJ said the defendants “are believed to have amassed more than $46 million from selling access to the infected routers that were part of the Anyproxy botnet.” Also credited in the operation were the Eastern District of Virginia, the Dutch National Police – Amsterdam Region, the Netherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police. Lumen Technologies’ Black Lotus Labs also assisted in the investigation.

13 Vulnerable Routers Identified

The May 7 FBI alert listed 13 vulnerable routers. Those devices include:

• E1200
• E2500
• E1000
• E4200
• E1500
• E300
• E3200
• WRT320N
• E1550
• WRT610N
• E100
• M10
• WRT310N

The FBI recommended that users “identify if any of the devices vulnerable to compromise are part of their networking infrastructure. If so, these devices should be replaced with newer models that remain in their vendor support plans to prevent further infection. Alternatively, a user can prevent infection by disabling remote administration and rebooting the device.”

Google has agreed to pay the U.S. state of Texas nearly $1.4 billion to settle two lawsuits that accused the company of tracking users' personal location and maintaining their facial recognition data without consent. The $1.375 billion payment dwarfs the fines the tech giant has paid to settle similar lawsuits brought by other U.S. states. In November 2022, it paid $391 million to a group of 40

Researchers at Cisco Talos warn that major phishing kits continue to incorporate features that allow them to bypass multi-factor authentication (MFA).