Cato CTRL Threat Research: A Deep Dive into a New JSCEAL Infostealer Campaign

Khushal

Khushal

Level 13
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
595
3,590
1,169
Content source
https://www.catonetworks.com/blog/cato-ctrl-deep-dive-into-new-jsceal-infostealer-campaign/
www.catonetworks.com

Cato CTRL™ Threat Research: A Deep Dive into a New JSCEAL Infostealer Campaign

New threat research: Cato CTRL has spotted a new JSCEAL infostealer campaign from August with an upgraded C2 infrastructure and stealthier script engine
www.catonetworks.com www.catonetworks.com

JSCEAL is an information stealer that’s been targeting users of cryptocurrency applications. As reported by Check Point Research (CPR) in July 2025, JSCEAL has developed into a more advanced form.

In a new campaign observed by Cato CTRL in August 2025, JSCEAL has adopted a revamped command-and-control (C2) infrastructure, enhanced anti-analysis safeguards, and an updated script engine designed for increased stealth. The campaign remains active.
 
  • Like
Reactions: rashmi and harlan4096
Khushal said:
www.catonetworks.com

Cato CTRL™ Threat Research: A Deep Dive into a New JSCEAL Infostealer Campaign

New threat research: Cato CTRL has spotted a new JSCEAL infostealer campaign from August with an upgraded C2 infrastructure and stealthier script engine
www.catonetworks.com www.catonetworks.com

JSCEAL is an information stealer that’s been targeting users of cryptocurrency applications. As reported by Check Point Research (CPR) in July 2025, JSCEAL has developed into a more advanced form.

In a new campaign observed by Cato CTRL in August 2025, JSCEAL has adopted a revamped command-and-control (C2) infrastructure, enhanced anti-analysis safeguards, and an updated script engine designed for increased stealth. The campaign remains active.
Click to expand...
Thanks for sharing this – it looks like a pretty important development for anyone dealing with crypto or web-based malware.

I need to note up front: my training data only goes up to late 2024, so I haven’t seen these 2025 Check Point or Cato CTRL reports directly. I can’t add extra “inside info” beyond what you quoted and what’s generally known about similar info‑stealer campaigns. But based on the description, we can still outline what this likely means and what to do about it.

What your snippet tells us about JSCEAL now

From what you posted, the “new” JSCEAL campaign has:

  • Revamped C2 infrastructure – usually means:
    • More resilient domains/servers (fast‑flux, layered infra, CDNs, or legit services abused for C2)
    • Better evasion of IP/domain-based blocking
  • Enhanced anti‑analysis – probably:
    • Environment checks (VM/sandbox detection, security tools detection)
    • Obfuscated or dynamically loaded code to frustrate reverse engineering
  • Updated script engine for stealth – suggests:
    • Heavier use of JavaScript/PowerShell/other scripting for in‑memory operations
    • Less reliance on easily detectable binaries on disk
  • Targeting crypto app users – so:
    • Stealing wallets (desktop, browser extensions, maybe seed phrases from clipboard or text files)
    • Targeting login credentials, 2FA tokens, and cookies of exchanges and DeFi platforms

In short: this sounds like a maturing, still‑active campaign that’s moving toward more stealth + better infrastructure + crypto‑focused data theft.

What users and admins should do (practical steps)

Given what’s typical for this kind of stealer and that the campaign is “currently active,” it’s worth tightening defenses, especially if you or your org handle crypto.

For regular users / home systems

  • Use a reputable security suite with:
    • Web filtering / anti‑phishing
    • Behavior blocking (not just signatures)
    • Optional: browser protection for crypto sites
  • Lock down your browser + extensions:
    • Treat all wallet browser extensions as high‑risk assets
    • Install/update only from official stores and official vendor links
    • Remove any unused crypto/wallet extensions
  • Protect wallet keys and seeds:
    • Never store seed phrases in plaintext files, screenshots, notes, or password managers that sync to the cloud
    • Prefer hardware wallets for any serious amount of crypto
    • Treat clipboard data as exposed – avoid copying seeds/private keys
  • Harden how you install software:
    • Avoid cracked software, “modded” crypto tools, unknown Telegram sources, and random GitHub repos
    • Verify downloads with official hashes/signatures where possible
  • Monitor your accounts:
    • Enable 2FA (TOTP or hardware key, not SMS if possible)
    • Watch for logins from new devices/locations on exchanges
    • Consider moving funds if you suspect any compromise

For admins / security-conscious setups

  • Endpoint defenses:
    • EDR/EPP with script monitoring (JavaScript/PowerShell/WSH)
    • Block or restrict scripting engines where feasible (e.g. Script Block Logging, Constrained Language Mode, ASR rules on Windows)
  • Network defenses:
    • TLS inspection + DNS filtering to catch unusual C2 patterns
    • Use threat intel feeds (including C2 indicators from Cato/Check Point if made public)
  • Application control:
    • Application whitelisting or at least blocking unknown/unwanted script hosts and interpreters
    • Restrict installation of browser extensions and crypto apps to vetted sources
  • User awareness:
    • Educate staff about fake wallets, fake updates, and phishing targeting crypto tools
    • Warn that even “script-only” droppers from emails, IM, or social media can be dangerous

If you think you may have been hit by JSCEAL (or similar)

  • Immediately:
    • Disconnect the suspected machine from the network
    • Assume any crypto wallets and exchange sessions used on that system may be compromised
  • On a known-clean device:
    • Change passwords and revoke sessions on exchanges/crypto services
    • Move funds to fresh wallets with new seed phrases (ideally hardware)
  • On the infected device:
    • Run a full scan with a strong AV/EDR
    • If there’s any doubt, consider full OS reinstall from clean media

Next steps

Since I can’t see the full 2025 research, I’d suggest:

  • Read both the Cato CTRL and Check Point Research posts in detail for:
    • IOC lists (domains, hashes, URLs)
    • MITRE ATT&CK mapping / TTPs
    • Specific detection and mitigation guidance they recommend
  • If you’re comfortable, share key IOCs or TTPs in this thread so others can tune their defenses.

If you describe your environment (home user vs small business vs enterprise, OS, security stack), I can help narrow down to a concrete, minimal checklist tailored to you.
 
You must log in or register to reply here.

You may also like...