JSFireTruck JavaScript Attack Infects 269,000+ Web Pages in 2025

JSFireTruck Campaign Infects 270,000+ Websites with Obfuscated JavaScript, Redirects Search Engine Traffic to Malware and Scams

  • Researchers identified a widespread campaign using obfuscated JavaScript to infect legitimate websites.
  • The campaign, named “JSFireTruck,” uses an obscure coding technique to hide the real purpose of the code.
  • Compromised websites redirect users coming from search engines to malicious links that may deliver Malware or scams.
  • Nearly 270,000 web pages were reported infected between March and April 2025, with a major spike in mid-April.
  • A separate service, HelloTDS, is used to conditionally redirect users to scams like fake browser updates and cryptocurrency frauds.

Cybersecurity experts reported a large-scale attack infecting legitimate websites with hidden JavaScript code. The campaign actively redirects users to dangerous pages if they arrive from popular search engines, increasing the risk of malware or scam exposure.

- Advertisement -

Research from Palo Alto Networks Unit 42 found 269,552 web pages infected with obfuscated JavaScript between March 26 and April 25, 2025. A single day in April saw over 50,000 compromised pages. The unsafe code relies on a method known as “JSFuck,” an approach that writes programs using only a few characters to make detection and analysis harder.

According to security researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal, the team observed that multiple sites contained malicious JavaScript using a unique technique called JSFireTruck. The injected code checks if visitors arrive from search engines like Google, Bing, DuckDuckGo, Yahoo!, or AOL. If they do, it redirects them to malicious websites that can deliver malware, exploit kits, or fraudulent ads. “The code’s obfuscation hides its true purpose, hindering analysis,” the authors explained. The widespread infections suggest a coordinated effort to use real websites as tools for further attacks.

The report also highlights the emergence of “HelloTDS,” a Traffic Distribution Service that picks which scam to show a victim based on their device details. Gen Digital described how HelloTDS delivers fake CAPTCHA puzzles, tech support scams, bogus browser upgrades, and cryptocurrency fraud using JavaScript code hosted on remote sites. Victims are screened using information such as their location, IP address, and browser behavior. If the user does not match specific attack conditions, the code sends them to safe content instead.

Researchers Vojtěch Krejsa and Milan Špinka noted that attackers often disguise their activity on streaming sites, file-sharing platforms, or through malicious ads. Some schemes use trick questions to get users to run harmful software, like PEAKLIGHT, which is known for stealing sensitive information.

The infrastructure supporting HelloTDS mainly uses generic top-level domains such as .top, .shop, and .com to host harmful code. The campaigns incorporate advanced tactics such as browser fingerprinting and switching domains to avoid detection, making it harder for security tools to block attacks.

For more, see the original analysis by Palo Alto Networks Unit 42 here and Gen Digital‘s details on HelloTDS here. Information on the JSFuck technique can be found at this resource.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

Hamak Gold to Hold Bitcoin in Treasury, Aims for UK Leadership

Hamak Gold is moving part of its treasury funds into Bitcoin while continuing gold...

Symbolic 200 BRICS Bank Note Unveiled at 2025 Summit Sparks Buzz

A 200-denominated BRICS bank note appeared at the 2025 St. Petersburg forum, generating discussions...

$8.6B Bitcoin Move Sparks New Speculation Over Satoshi’s Identity

Bitcoin saw a record $8.6 billion transferred from dormant wallets in what is called...

Hong Kong to Expand Tokenized Bond Program, Eyes Regular Issuance

Hong Kong plans to expand its tokenized bond offerings and aims to make them...

Taiwan NSB Warns of Data Privacy Risks from China-Made Apps

Taiwan’s National Security Bureau (NSB) warns about security risks in China-developed apps like RedNote,...

Must Read

The Ultimate Guide on How to Understand a Cryptocurrency White Paper

Today, cryptocurrency is a popular buzzword. We hear about it on the news, we read about it on the Internet. Yet, people are reluctant to...