You’d think seeing Cristiano Ronaldo, Zendaya, and Elon Musk pitching crypto in the same Facebook ad would raise a red flag. But for thousands of users, it raised nothing but curiosity—and malware infections.
In this publication, we're uncovering a deceptive malvertising campaign that’s been targeting Facebook users in Australia, New Zealand, and beyond. Let’s break down how it works—and how to stay out of its digital trap.
Scammers are using celebrity lookalikes and fake crypto ads on Facebook to install malware disguised as legitimate trading software, with some victims getting hit before the ads are even taken down.
How It Works:
This slick cyberattack blends mass impersonation, smart tracking, and malware delivery:
- Users see Facebook ads featuring fake endorsements from celebs like Elon Musk or fake profiles mimicking brands like Binance or TradingView.
- Clicking on the ad takes victims to a phishing site that mimics a legit crypto exchange, prompting them to download a "desktop trading client."
- The download is actually malware (“installer.msi”), which activates when opened.
- The malware launches a fake site using msedge_proxy.exe, deploys malicious DLL files, and spins up a local server to steal user data.
- If the visitor doesn't match the hacker’s profile (wrong browser, IP, or Facebook login), they’ll just see harmless content—bypassing most security checks.
Who’s Targeted:
- Primarily men aged 18+ with interests in tech and cryptocurrency.
- Facebook users in Australia, New Zealand, Bulgaria, Slovakia, and other geo-targeted regions.
- People likely to be tempted by financial gains or intrigued by celebrity endorsements.
Real-Life Example:
Researchers at Bitdefender Labs exposed the campaign, noting how hundreds of compromised Facebook accounts were running malware-linked ads—some pushing over 100 ads in a single day.
“Users cannot load the root website without the ad's query parameters,” said Bitdefender researcher Ionut Baltariu.
“Attackers are filtering based on browser, IP, and behavioural patterns—only showing malware to carefully chosen victims.”
They also found fake TradingView pages that looked eerily authentic, with cloned layouts and fake posts—but all navigation buttons led back to the real Facebook site, while the download links were pure poison.
Why You Should Care:
If infected, this malware can:
- Steal your private data, system info, and login credentials.
- Allow remote attackers to control your device using a backdoor.
- Continuously download new malicious payloads based on your profile.
Even if you’re not a crypto enthusiast, the ad could still find you, especially if you're active on Facebook and casually browsing.
Actionable Steps:
- Avoid clicking on ads that offer financial rewards or urge you to download anything.
- Download software only from official websites—never through Facebook links.
- Report suspicious ads and pages using Facebook’s “Report ad” function.
- Use a reputable antivirus tool and keep it up to date (Bitdefender, for instance, flagged this early).
- Don’t trust celebrity endorsements online, especially in ads promoting crypto or investment schemes.
Quick Tips:
Did you know? Facebook ads can be geo-targeted to such precision that only specific groups of people see malware—others see harmless content.
Pro Tip: If an ad claims to be from Binance or TradingView, go to those platforms directly—never through third-party links or “bonus” offers.
Stay safe, stay informed,
Keyword Definitions:
- Malvertising – The use of online ads to spread malware or redirect users to malicious sites.
- Installer.msi – A Windows installation file often abused to silently deliver malware.
- SharedWorker – A browser script that enables background communication across tabs—used here to link to malware.
- msedge_proxy.exe – A legit Windows process hijacked to make malware appear trustworthy.
- Command and Control (C2) Server – A server used by attackers to send instructions to and receive data from compromised devices.
To read more, kindly find source article here