# The risk from Facebook ads: Password attacks and cryptocurrency wallets campaign

## **Overview**

Recently, cybersecurity experts have reported a large-scale phishing campaign related to the **Pi2Day event** of Pi Network—a significant anniversary for the user community that has been **exploited by attack groups** to spread malware and scam digital assets.

Through Facebook Ads, over **140 fake ads**, using Pi Network images and enticing airdrop content, have been distributed to many countries such as the United States, Europe, Australia, China, Vietnam, India, and the Philippines.

![Facebook Ads](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwjxKEhygucYc9IGfr656qA5CgwhQZRtbXIhqyooIIcCPwTPKPoofdFAPMltrp_dmLvNFLUj7U6WPJoB6LwkFQ6Tl3yTJRvezxT4JiDSSnEl8QRhWu5ClaHY7l7PZRqqODHNodjoGEpMaxmF-zjIOwK341s9XEE0KSG5Bq5X3Z6AKQPAHJTcuHeawua_o/s16000/Phishing%20Pages.webp align="center")

![](https://blogapp.bitdefender.com/hotforsecurity/content/images/2025/06/data-src-image-7134569e-25c0-4f31-92a7-389550ba80a6.png align="center")

## **Phishing Tactics**

In this campaign, experts have recorded over 140 fake Facebook ads using cryptocurrency-related brands—especially **Pi Network**—with enticing content such as:

* **"Claim 628 Pi Tokens Now!"**
    
* **"Limited Airdrop Event – Pi2Day Special Bonus"**
    
* **"Install this app to receive your free Pi"**
    

![](https://blogapp.bitdefender.com/labs/content/images/2025/05/data-src-image-2d7c024a-dc25-430a-a374-0fc3b1890029.jpeg align="center")

![](https://blogapp.bitdefender.com/labs/content/images/2025/05/data-src-image-c0ee25a5-3e55-4b39-ad33-b30da4c7235e.jpeg align="center")

Here, when users click the ad, they are **not redirected to a website**, but are **asked to download a tool to mine or receive Pi tokens.**

![Facebook Ads](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOPOCGzMvOZXi0gypvgnLuUqAmFtOmgIdEBroF6XASWkVzDCKuQDjzKkHMi2DjME8tpa9Tf0ApqaGgKXxp5mzv6iRWq5gH0neVXc4_aIdzcxW4kwqRHoMoX54ePcbKxsq7cz02fVC-JxwhdkPmKs6-NrWtomq0m4d7cR5uKvEcVjE62S3MvYm58u5fNUA/s16000/Mining%20Apps.webp align="center")

When users click on Download, a malicious software named `installer.msi` is immediately downloaded. After running `msiexec`, analysts observed:

* A local server (port 30308/30303) is active
    
* Connection from the browser to this server
    
* Processes like `powershell.exe`, `mshta.exe`, etc., running on a schedule (task)
    
* Downloads from C2, creating additional DLL/VBS/JS executables
    

Additionally, the **DLL or script inside the MSI** contains malware named `Generic.MSIL.WMITask` and `Generic.JS.WMITask`. These are indeed two dangerous variants that pose significant risks to information security.

![](https://blogapp.bitdefender.com/labs/content/images/2025/05/image-1.png align="center")

![](https://blogapp.bitdefender.com/labs/content/images/2025/05/image-2.png align="center")

**Generic.MSIL.WMITask**

* Start a **local .NET server** on port **30308 or 30303**.
    
* Receive commands from JavaScript (in the browser) via `SharedWorker`.
    
* Use **WMI** (`Win32_` class) to:
    
    * Gather system information (hardware, OS version, user, etc.).
        
    * Then execute code using PowerShell or VBScript to download additional payloads from C2.
        

**Generic.JS.WMITask**

* **JavaScript obfuscated** used in shared worker or DOM injection.
    
* Stops working if run on a **sandbox or an invalid Edge/Chrome browser**.
    
* When conditions are met:
    
    * Send a `/query` request to collect WMI data.
        
    * Send `/set` to schedule a Task or download more malware.
        

After infiltrating the system, this malware also hides itself cleverly by disabling `console.log`, `warn`, `error`, `trace`, etc., to avoid revealing its behavior. This makes it very difficult to detect.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1751582901645/0d77e81d-cabd-494c-8df8-d9d85767ad50.png align="center")

Finally, the executed payloads may be able to:

* Steal saved information and cryptocurrency wallet keys
    
* Log user input
    
* Download second-stage malicious components
    
* Remain stealthy by using obfuscation and sandbox evasion
    

## **Conclusion**

The attack campaign through Facebook Ads exploiting Pi2Day is a prime example of **sophisticated malvertising**, combining:

* **Social engineering + brand impersonation**
    
* **Anti-analysis, targeting profile filtering**
    
* **Multi-layer payload chain via local server**
    
* **Multi-national, multi-platform cryptocurrency attack**
    

It highlights the alarming issue of bad actors exploiting social media ads to attack users, especially in the context of cryptocurrency and crypto wallets, which are not yet widely understood. Protecting oneself and organizations from these risks requires **increased awareness, protective technology, and strict control of online advertising**.

## **Recommendations**

1. **Enable PowerShell and WMI behavior monitoring**
    

* Monitor initiated processes such as:
    
    * `powershell.exe` calling `Invoke-WebRequest`, `New-Object Net.WebClient`, `ScheduledTask`, `SecurityProtocol`, `MachineGuid`
        
    * `wscript.exe`, `cscript.exe`, `mshta.exe` calling unusual domains
        

2. **Warn users**
    

* Warn users not to download software from Facebook ads
    
    * Especially files like `.msi`, `.zip`, `.rar`
        
    * Only download software from **official websites**
        
* **Always enable Bitdefender security solutions** on both PC and mobile devices.
    
* **Only download apps** from the **official App Store/Google Play** or the Pi Network homepage.
    
* **Do not enter wallet recovery phrases (seed phrases)** on any website.
    

## **Reference**

1. [Weaponizing Facebook Ads: Inside the Multi-Stage Malware Campaign Exploiting Cryptocurrency Brands](https://www.bitdefender.com/en-us/blog/labs/weaponizing-facebook-ads-inside-the-multi-stage-malware-campaign-exploiting-cryptocurrency-brands)
    
2. [Threat Actors Exploit Facebook Ads to Distribute Malware and Steal Wallet Passwords](https://gbhackers.com/threat-actors-exploit-facebook-ads-to-distribute-malware/)
