Bitdefender researchers tracked a global malvertising campaign that impersonated TradingView across Facebook, YouTube, and Google Ads to deliver a large multi-stage downloader and stealer (detected as Variant.DenoSnoop.Marte.1 and Trojan.Agent.GOSL) that hijacks accounts, steals credentials and crypto data, and persists via scheduled tasks and Defender exclusions. The campaign used hijacked Google advertiser and YouTube accounts with verified badges, unlisted ad videos, and extensive tracking (PostHog, Facebook Pixel, Google Ads Conversion, Microsoft Ads) while rotating domains and expanding to macOS and Android samples. #TradingView #Variant.DenoSnoop.Marte.1
Keypoints
- Threat actors ran malvertising across Meta, YouTube, and Google Ads impersonating TradingView to lure victims with “free premium” offers linking to malware-laced downloads.
- Attackers hijacked a Google advertiser account and a verified YouTube channel, rebranding them with official visuals and using unlisted ad videos shown only via paid placements.
- The initial loader is a custom oversized downloader (>700 MB) with anti-sandbox checks and multi-stage deployment that communicates via websockets (port 30000, /config).
- Final payloads include sophisticated stealers (detected as Trojan.Agent.GOSL; also named JSCEAL/WeevilProxy) that intercept network traffic, keylog, take screenshots, steal wallets, and maintain persistence.
- Attack infrastructure exceeds 500 domains/subdomains, includes macOS and Android variants (Variant.MAC.Amos.9, Android.Trojan.Dropper.AVV, Android.Trojan.Banker.AVM), and uses heavy tracking to tailor responses and hide from non-targets.
- Campaign operators create hundreds of daily multilingual ads, rotate domains, and exploit verified channel credibility and unlisted videos to avoid platform moderation.
- Defensive recommendations include checking channel handles and subscriber counts, avoiding third-party downloads, enabling strong MFA, auditing account access, reporting suspicious ads, and using Bitdefender protections.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Hijacked Google Ads and YouTube accounts and abused ad systems to deliver malicious unlisted videos and redirect users (“…they begin redirecting victims through Google’s ads system”).
- [T1078] Valid Accounts – Attackers used compromised Google accounts to take over YouTube channels and advertiser accounts (“…a couple of stolen Google accounts were observed”).
- [T1490] Inhibit System Recovery – Malware creates scheduled tasks and adds Windows Defender exclusions to maintain persistence and avoid remediation (“…creates a Scheduled Task called EdgeResourcesInstallerV12-issg” and “adds Windows Defender exclusions”).
- [T1105] Ingress Tool Transfer – Initial downloader fetches and delivers additional payloads via websockets and StreamSaver.js to deliver the malicious file (“…uses https://jimmywarting.github.io/StreamSaver.js to deliver the malicious file” and “communicates using websockets, on the port 30000 and the /config route”).
- [T1204] User Execution – Social engineering via ads promising free TradingView Premium to trick users into running the malicious executable linked in unlisted video descriptions (“…the description of the unlisted video includes a link where the user can download the malicious executable”).
- [T1056] Input Capture – Final stealer captures keystrokes and screenshots for credential theft (“Keylogging and taking screenshots”).
- [T1041] Exfiltration Over C2 Channel – Malware intercepts network traffic and acts as a proxy to collect and exfiltrate data (“Intercepting all user network traffic (acting as a proxy)”).
- [T1112] Modify Registry – (Implied persistence mechanisms such as scheduled tasks and Defender exclusions used to ensure long-term persistence) (“Ensuring long term persistence, and more”).
Indicators of Compromise
- [Domains/Subdomains] Infrastructure scale – over 500 domains and subdomains tied to the campaign (example domains not listed in article; Bitdefender ATI holds full list).
- [File names / Executables] Malicious installers and loaders – installer.exe (delivered via StreamSaver.js), initial oversized downloader (>700 MB), old samples as .msi, and final payloads named JSCEAL/WeevilProxy.
- [Detections/Names] Threat detections and labels – Variant.DenoSnoop.Marte.1 (initial loader), Trojan.Agent.GOSL (final payload), Variant.MAC.Amos.9 (macOS), Android.Trojan.Dropper.AVV and Android.Trojan.Banker.AVM (Android samples).
- [Network / Ports] C2 and communication details – websocket communication on port 30000 using the /config route; older samples used HTTP on ports 30303 and 30308 and routes like /s, /set, /q, /query.
- [Tracking Tokens] Tracking frameworks used – PostHog, Facebook Pixel, Google Ads Conversion Tracking, Microsoft Ads Pixel and Adprofex postback seen embedded in front-end scripts for targeting and evasion.