Facebook ads scam uses celebrity faces to spread malware

A Facebook malvertising campaign is using images of well-known public figures and impersonating cryptocurrency brands to distribute malware to users in Australia, New Zealand, and beyond.

Cybercriminals have been operating the campaign for several months, relying on Facebook advertisements that feature the likenesses of individuals such as Elon Musk, Zendaya, and Cristiano Ronaldo to attract victims. These ads falsely appear to promote legitimate cryptocurrency exchanges and entice users with promises of quick financial gains or bonuses.

According to Bitdefender Labs, hundreds of Facebook accounts have been utilised to promote malware-delivering pages. In one instance, a single Facebook page reportedly ran over 100 ads in a single day. While many ads are removed promptly, some achieve thousands of views before takedown. Targeting is often narrowly tuned, with examples including campaigns focused on men aged 18 and over in Bulgaria and Slovakia.

The campaign relies on mass impersonation of trusted cryptocurrency exchanges and trading platforms, including Binance and TradingView.

By mimicking established brands, the cybercriminals increase the credibility of the scam and the likelihood that users will be deceived.

The advertisements redirect victims to websites designed to closely resemble genuine cryptocurrency platforms, instructing them to download a supposed 'desktop client'. Instead of providing legitimate software, the download deploys malware on the user's computer. Bitdefender Labs has confirmed that all analysed malicious files carried the name 'installer.msi' and were roughly 800 kilobytes in size.

Bitdefender Labs researcher Ionut Baltariu commented on the sophisticated tracking and filtering techniques employed in the campaign. He said, "Users cannot load the root website. No malicious content will be displayed for users who loaded the website without the specific query parameters of the Facebook ads – some examples being utm_campaign, utm_content, fbid, cid. If the user is not logged into Facebook or if the IP address and operating system don't interest the attackers, the website will not display malicious content. Users will be served with unrelated content instead. The same might happen if the victim does not fit the behavioural profile the threat actors seek (e.g., male, interests in technology and cryptocurrency)."

This method ensures that cybersecurity analysts or automated systems not fitting the sought-after profiles receive only benign or unrelated content, allowing the scams to evade most conventional security solutions. Newer variants go further by requiring users to access the sites through Microsoft Edge, with other browsers triggering harmless alternative content.

One recent development includes the appearance of fake Facebook pages that clone the look and feel of genuine TradingView profiles. These fraudulent pages display fabricated profile pictures, posts, and comments, but central navigation buttons redirect to the legitimate Facebook site.

The technical operation of the malware is multi-stage. Upon installation, the malware opens the impersonated entity's webpage through msedge_proxy.exe, then delivers a suspicious DLL file. This component starts a local .NET-based server, enabling remote execution of payloads and data exfiltration via WMI (Windows Management Instrumentation) queries.

The campaign employs API routes for executing and querying commands and gathers information on user behaviour, installed software, hardware details, and geographical location.

Bitdefender Labs reports that the malware's front-end script deobfuscates itself to create a SharedWorker, which manages communication with the malicious local server.

The SharedWorker controls further attacks and can fetch even more dangerous payloads from external command and control (C2) servers if a target matches the intended victim profile.

Bitdefender Labs highlighted that the sophistication of this campaign—combining multiple levels of obfuscation, anti-sandbox tactics, and real-time adaptation—presents a significant challenge for security practitioners. Early detection and activation of Bitdefender's own malicious script and DLL signatures blocked thousands of infection attempts globally.

The company encouraged precaution among the more than 22 million active Facebook users in Australia and New Zealand. Users are advised to scrutinise any advertisements offering free software or seemingly incredible financial rewards, download software only from official vendor sites, and employ scam and link checking tools such as Bitdefender Scamio and Link Checker.

Bitdefender recommends keeping security software up to date to improve resistance against evolving threats and to remain cautious of sites requesting the use of a specific browser.

Suspicious ads should be reported using Facebook's reporting functions to disrupt ongoing and future malvertising activity.

Researchers at Bitdefender Labs concluded, "This campaign showcases a hybrid approach, merging front-end deception and a localhost-based malware service. By dynamically adjusting to the victim's environment and continuously updating payloads, the threat actors maintain a resilient, highly evasive operation."