Cybercriminals have launched a classy marketing campaign exploiting Fb’s promoting platform to distribute malware and steal cryptocurrency pockets credentials, focusing on customers worldwide by means of misleading Pi Community-themed commercials.
The malicious operation, which started on June 24, 2025, coincides with the Pi2Day celebration and has already deployed over 140 advert variations to maximise its attain throughout a number of continents.
The assault marketing campaign demonstrates a coordinated effort by risk actors who’ve weaponized official social media promoting mechanisms to ship multi-stage malware payloads.
These malicious commercials masquerade as official Pi Community promotions, providing pretend mining purposes and fraudulent pockets entry portals that promise customers substantial cryptocurrency rewards.
The marketing campaign’s international scope encompasses america, Europe, Australia, China, Vietnam, India, and the Philippines, indicating a well-resourced operation with worldwide ambitions.
The risk actors make use of two main assault vectors to compromise victims. The primary includes phishing pages that meticulously mimic official Pi Pockets interfaces, prompting customers to enter their 24-word restoration phrases underneath the pretense of claiming 628 Pi tokens or taking part in unique airdrop occasions.
Phishing web page (Supply – Bitdefender)
As soon as entered, these credentials grant attackers full management over victims’ cryptocurrency wallets, enabling instant fund transfers.
Bitdefender researchers recognized the second assault vector as malware-embedded purposes disguised as Pi Community mining software program.
These misleading installers promise customers bonuses of 31.4 Pi tokens for downloading and executing PC purposes.
Nevertheless, the software program packages comprise malicious payloads recognized as Generic.MSIL.WMITask and Generic.JS.WMITask variants, representing multi-stage malware beforehand analyzed by Bitdefender’s safety staff in Might 2025.
Multi-Stage Malware An infection Mechanism
The malware’s an infection course of demonstrates subtle engineering designed to evade detection whereas sustaining persistence on compromised programs.
Upon preliminary execution, the malicious payload establishes a foothold by means of obfuscation methods that bypass conventional antivirus options and sandbox environments.
The malware’s structure incorporates a number of phases, with every element serving particular capabilities within the general assault chain.
The first payload focuses on credential harvesting, systematically extracting saved passwords, authentication tokens, and cryptocurrency pockets keys from contaminated programs.
Concurrently, the malware deploys keylogging capabilities to seize real-time consumer enter, together with newly entered passwords, restoration phrases, and delicate monetary info.
The malware’s persistence mechanisms guarantee continued operation even after system reboots, whereas its communication modules set up connections with command-and-control infrastructure to exfiltrate stolen knowledge and obtain extra malicious parts.
The marketing campaign’s success stems from exploiting customers’ belief in verified social media platforms and their restricted understanding of cryptocurrency safety practices.
By leveraging Fb’s promoting legitimacy and Pi Community’s rising recognition, risk actors have created an efficient distribution mechanism that continues to evolve and adapt to safety countermeasures.
Examine reside malware habits, hint each step of an assault, and make sooner, smarter safety selections -> Strive ANY.RUN now
