Bitdefender researchers have uncovered a sophisticated, multi-platform malvertising campaign that began on Facebook Ads and has since expanded to Google Ads and YouTube, distributing advanced crypto-stealing malware under the guise of “free access” to premium trading tools.
By hijacking legitimate advertiser accounts and verified YouTube channels, cybercriminals deliver unlisted video ads and malicious downloads designed to harvest credentials, inject malware, and maintain persistent access to compromised systems.
Campaign Evolution: From Facebook Ads to YouTube and Google Ads
The campaign’s origins date back over a year, initially leveraging Facebook’s ad network to lure victims with promises of complimentary subscriptions to TradingView Premium and other financial platforms.
Victims clicking these ads were redirected to benign landing pages or, if targeted, to malicious payloads safeguarded by elaborate anti-analysis defenses.
In a recent escalation, threat actors infiltrated a Norwegian design agency’s Google advertiser account and commandeered a verified YouTube channel.
The hijacked channel was revamped with official TradingView branding logos, banners, and playlists cloned directly from the genuine channel while retaining its verified badge to project credibility.
Unlisted video ads, such as “Free TradingView Premium Secret Method They Don’t Want You to Know,” amassed over 182,000 views within days, all served exclusively through paid placements to evade public detection and moderation.
Several red flags distinguish the fake channel: a different handle (not @TradingView), only 96 registered views despite TradingView’s popularity, and the absence of original content.
The impersonation relies entirely on unlisted ad videos, which are shown only through paid placements, thereby avoiding public scrutiny while maintaining the appearance of legitimacy through verified status and professional branding.
Advanced Malware Delivery and Multi-Stage Infection
Once a user engages with the ad, the embedded download link delivers an installer named installer.exe.
These payloads included oversized downloaders (exceeding 700 MB) that frustrate automated sandboxes and embed multi-stage, encrypted installers with anti-sandbox capabilities that check for virtualized environments.
This executable establishes a Scheduled Task titled EdgeResourcesInstallerV12-issg, which executes a custom PowerShell loader.
The loader decrypts obfuscated service worker scripts that utilize StreamSaver.js to initiate the transfer of malware.
Communication with the command-and-control infrastructure occurs over WebSocket on port 30000 via the /config endpoint, replacing older HTTP-based front-end routes on ports 30303 and 30308.
Post-decryption, the payload installs modules including a network traffic interceptor that proxies all HTTP/S requests, keyloggers and screenshot utilities for data capture, cryptocurrency wallet extractors targeting local storage and browser extensions, and persistence mechanisms with Windows Defender exclusion rules.
Variant.DenoSnoop.Marte. 1 identifies the initial loader, while the final payload, known as JSCEAL or WeevilProxy, offers sophisticated stealer capabilities with both espionage and remote access functions.
Detection, Mitigation, and Best Practices for Content Creators
Bitdefender’s telemetry reveals over 500 domains and subdomains linked to the campaign, along with emerging macOS (Variant.MAC.Amos.9) and Android (Trojan.Dropper.AVV, Trojan.Banker.AVM) variants.
Thousands of Facebook pages with minimal followers and generic imagery propagate the ads in English, Vietnamese, and Thai. Attackers rotate domains and languages daily, employing tracking mechanisms such as PostHog, Facebook Pixel, Google Ads Conversion Tracking, and Microsoft Ads Pixel.
End users should avoid downloading software from third-party links, verify channel handles and subscriber counts before trusting unlisted ads, and report suspicious content directly to platform authorities.
Businesses with YouTube channels must enforce strong multi-factor authentication, regularly audit account permissions, and monitor for sudden rebranding or content deletions that may signal a compromise.
Deploying enterprise-grade security solutions, such as Bitdefender Security for Creators, Scamio, and Link Checker, can help prevent malicious redirects and credential theft.
Content creators should review account recovery options, ensure backup emails and phone numbers remain secure, and leverage comprehensive monitoring tools for early detection of unauthorized changes.
Continuous vigilance and prompt reporting remain essential defenses against these evolving malvertising threats.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpeg?resize=1068,580&ssl=1&description=Data Theft - Bitdefender researchers have uncovered a sophisticated, multi-platform malvertising campaign that began on Facebook Ads.){kind=link}