Hackers Weaponizing Facebook Ads to Deploy Multi-Stage Malware Attacks

A persistent and highly sophisticated malvertising campaign on Facebook has been uncovered by Bitdefender Labs, exploiting the trust associated with major cryptocurrency exchanges to distribute multi-stage malware.

This ongoing operation, active for several months as of May 2025, leverages advanced evasion techniques, mass brand impersonation, and user-tracking mechanisms to bypass conventional security defenses.

By impersonating trusted platforms like Binance, TradingView, and MetaMask, cybercriminals lure victims with promises of financial gains and crypto bonuses, often using fabricated endorsements from public figures such as Elon Musk and Cristiano Ronaldo to enhance credibility.

The scale of this campaign is staggering, with hundreds of fraudulent ads and accounts identified, some generating thousands of views before being removed by Meta’s ad network.

Sophisticated Campaign Targets Crypto

The attack begins when unsuspecting users click on deceptive ads, redirecting them to malicious sites mimicking legitimate cryptocurrency platforms.

These sites prompt users to download a supposed “desktop client,” often named installer.msi, which deploys a malicious DLL and establishes a local .NET-based server on ports like 30308 or 30303.

This server facilitates remote payload execution and data exfiltration through endpoints like /set and /query, enabling attackers to run custom WMI queries and execute encoded PowerShell scripts.

A particularly insidious aspect of this malware is its front-end and back-end collaboration: a deobfuscated SharedWorker script in the malicious webpage communicates with the localhost server to orchestrate payload delivery, dynamically adapting based on the victim’s environment.

If suspicious conditions-such as missing ad-tracking parameters (e.g., utm_campaign, fbid) or sandbox-like behavior-are detected, the site serves benign content, evading automated security analysis.

Furthermore, newer variants insist on Microsoft Edge usage, redirecting users of other browsers to harmless pages, adding another layer of detection avoidance.

Malware Deployment and Evasion Tactics

The malware’s sophistication extends to its data exfiltration and payload evolution.

PowerShell scripts downloaded from command-and-control (C2) servers continuously retrieve and execute additional malicious code, targeting system details like installed software, GPU specifications, and geolocation data from Windows registry keys.

Depending on the victim profile, the C2 servers may deploy tailored payloads or, in sandbox environments, inert scripts designed to waste analysis time by sleeping for hundreds of hours.

Bitdefender researchers noted that the campaign employs multiple obfuscation layers and anti-sandbox checks, making end-to-end analysis challenging.

For instance, targeting is often fine-tuned to specific demographics, such as men aged 18+ in regions like Bulgaria and Slovakia, maximizing the impact of the social engineering tactics.

This hybrid threat merges front-end deception with localhost-based malware services, showcasing a remarkable ability to adapt in real-time.

Bitdefender stands out as one of the few security solutions detecting both the malicious DLL and front-end scripts through generic signatures.

The campaign underscores the dangerous intersection of social engineering via Facebook Ads and the cryptocurrency hype, transforming seemingly routine threats into complex, evasive operations.

As attackers refine their methods with evolving payloads and demographic profiling, this malvertising scheme poses a significant challenge to both users and cybersecurity providers, highlighting the urgent need for heightened vigilance and advanced detection mechanisms in the face of such dynamic cyber threats.