JSCEAL has emerged as a serious threat to Windows users, specifically targeting those who work with cryptocurrency applications and valuable accounts.
First reported by Check Point Research in July 2025, this information stealing malware has quietly grown stronger, introducing advanced techniques designed to avoid detection by security tools.
A new wave of attacks starting in August 2025 shows the threat has become more dangerous, with improved command-and-control systems and smarter ways to hide its activities.
The malware spreads through deceptive online advertisements that trick users into visiting fake websites. Once a user lands on these crafted pages, they unknowingly download malicious installers packaged as legitimate programs.
These installers deliver JSCEAL onto Windows machines, where the malware begins collecting sensitive information like passwords, usernames, and browser data.
The C2 domain registration dates (Source – CATO Networks)
The infection flow represents a simple but effective approach that continues to catch security teams off guard.
CATO Networks analysts identified that JSCEAL has not only survived but transformed into a more sophisticated threat.
The operators behind the malware completely redesigned their infrastructure starting August 20, 2025, moving from recognizable multi-word domain names to single-word domains like emberstolight.com.
C2 404 error (Source – CATO Networks)
This shift makes the malicious infrastructure harder to spot and block using traditional methods.
Advanced Detection Evasion Techniques
The malware now employs several clever tricks to avoid detection. When security tools or analysts try to access the command-and-control servers, the system requires a specific PowerShell user-agent to proceed.
Requests from regular browsers receive fake error messages designed to look like corrupted PDF files, creating an extra layer of confusion.
C2 Fake PDF Error (Source – CATO Networks)
Only systems that pass these checks receive the actual malicious payload, making the infection process heavily gated and difficult to analyze.
This multi-stage approach forces the script to verify that a PDF has been returned before proceeding to the script endpoint, where the operational payload is delivered, significantly complicating automated analysis efforts.
A significant technical advancement involves the refactored PowerShell script, which now uses Windows Scheduler through COM objects instead of directly creating scheduled tasks.
C2 traffic (Source – CATO Networks)
This change makes fingerprinting the malware from simple code indicators nearly impossible. The new payload delivery system also supports multiple data formats, including raw bytes, JSON, and MIME, offering operators greater flexibility in their attacks.
The threat remains active and evolving. Organizations should implement strict security measures including blocking suspicious PowerShell activity, monitoring for unusual command-and-control communications, and educating users about malicious advertisements.
Security teams need to stay vigilant against information stealers like JSCEAL, which succeed not through dramatic exploits but through careful, deliberate design and continuous improvement of stealth capabilities.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New JSCEAL Infostealer Malware Attacking Windows Systems to Steal Login Credentials appeared first on Cyber Security News.
