The risk from Facebook ads: Password attacks and cryptocurrency wallets campaign

Lưu Tuấn AnhLưu Tuấn Anh
3 min read

Overview

Recently, cybersecurity experts have reported a large-scale phishing campaign related to the Pi2Day event of Pi Network—a significant anniversary for the user community that has been exploited by attack groups to spread malware and scam digital assets.

Through Facebook Ads, over 140 fake ads, using Pi Network images and enticing airdrop content, have been distributed to many countries such as the United States, Europe, Australia, China, Vietnam, India, and the Philippines.

Facebook Ads

Phishing Tactics

In this campaign, experts have recorded over 140 fake Facebook ads using cryptocurrency-related brands—especially Pi Network—with enticing content such as:

  • "Claim 628 Pi Tokens Now!"

  • "Limited Airdrop Event – Pi2Day Special Bonus"

  • "Install this app to receive your free Pi"

Here, when users click the ad, they are not redirected to a website, but are asked to download a tool to mine or receive Pi tokens.

Facebook Ads

When users click on Download, a malicious software named installer.msi is immediately downloaded. After running msiexec, analysts observed:

  • A local server (port 30308/30303) is active

  • Connection from the browser to this server

  • Processes like powershell.exe, mshta.exe, etc., running on a schedule (task)

  • Downloads from C2, creating additional DLL/VBS/JS executables

Additionally, the DLL or script inside the MSI contains malware named Generic.MSIL.WMITask and Generic.JS.WMITask. These are indeed two dangerous variants that pose significant risks to information security.

Generic.MSIL.WMITask

  • Start a local .NET server on port 30308 or 30303.

  • Receive commands from JavaScript (in the browser) via SharedWorker.

  • Use WMI (Win32_ class) to:

    • Gather system information (hardware, OS version, user, etc.).

    • Then execute code using PowerShell or VBScript to download additional payloads from C2.

Generic.JS.WMITask

  • JavaScript obfuscated used in shared worker or DOM injection.

  • Stops working if run on a sandbox or an invalid Edge/Chrome browser.

  • When conditions are met:

    • Send a /query request to collect WMI data.

    • Send /set to schedule a Task or download more malware.

After infiltrating the system, this malware also hides itself cleverly by disabling console.log, warn, error, trace, etc., to avoid revealing its behavior. This makes it very difficult to detect.

Finally, the executed payloads may be able to:

  • Steal saved information and cryptocurrency wallet keys

  • Log user input

  • Download second-stage malicious components

  • Remain stealthy by using obfuscation and sandbox evasion

Conclusion

The attack campaign through Facebook Ads exploiting Pi2Day is a prime example of sophisticated malvertising, combining:

  • Social engineering + brand impersonation

  • Anti-analysis, targeting profile filtering

  • Multi-layer payload chain via local server

  • Multi-national, multi-platform cryptocurrency attack

It highlights the alarming issue of bad actors exploiting social media ads to attack users, especially in the context of cryptocurrency and crypto wallets, which are not yet widely understood. Protecting oneself and organizations from these risks requires increased awareness, protective technology, and strict control of online advertising.

Recommendations

  1. Enable PowerShell and WMI behavior monitoring
  • Monitor initiated processes such as:

    • powershell.exe calling Invoke-WebRequest, New-Object Net.WebClient, ScheduledTask, SecurityProtocol, MachineGuid

    • wscript.exe, cscript.exe, mshta.exe calling unusual domains

  1. Warn users
  • Warn users not to download software from Facebook ads

    • Especially files like .msi, .zip, .rar

    • Only download software from official websites

  • Always enable Bitdefender security solutions on both PC and mobile devices.

  • Only download apps from the official App Store/Google Play or the Pi Network homepage.

  • Do not enter wallet recovery phrases (seed phrases) on any website.

Reference

  1. Weaponizing Facebook Ads: Inside the Multi-Stage Malware Campaign Exploiting Cryptocurrency Brands

  2. Threat Actors Exploit Facebook Ads to Distribute Malware and Steal Wallet Passwords

0
Subscribe to my newsletter

Read articles from Lưu Tuấn Anh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Lưu Tuấn Anh
Lưu Tuấn Anh