Weaponizing Facebook Ads: Inside the Multi-Stage Malware Campaign Exploiting Cryptocurrency Brands

This Bitdefender analysis details an ongoing, large-scale malvertising campaign on Facebook that impersonates well-known cryptocurrency platforms and influencers to trick users into downloading a malicious "installer.msi". The campaign uses advanced evasion and targeting (ad query parameters, browser checks, demographic filters), coordinates front-end scripts with a localhost .NET server (msedge_proxy.exe) to run WMI queries and schedule tasks, and delivers evolving payloads via PowerShell and C2 servers for data exfiltration and secondary payload deployment; Bitdefender detected related DLLs and JavaScript and provides IoCs to partners.