JSFireTruck JavaScript Attack Infects 269,000+ Web Pages in 2025

JSFireTruck Campaign Infects 270,000+ Websites with Obfuscated JavaScript, Redirects Search Engine Traffic to Malware and Scams

  • Researchers identified a widespread campaign using obfuscated JavaScript to infect legitimate websites.
  • The campaign, named “JSFireTruck,” uses an obscure coding technique to hide the real purpose of the code.
  • Compromised websites redirect users coming from search engines to malicious links that may deliver Malware or scams.
  • Nearly 270,000 web pages were reported infected between March and April 2025, with a major spike in mid-April.
  • A separate service, HelloTDS, is used to conditionally redirect users to scams like fake browser updates and cryptocurrency frauds.

Cybersecurity experts reported a large-scale attack infecting legitimate websites with hidden JavaScript code. The campaign actively redirects users to dangerous pages if they arrive from popular search engines, increasing the risk of malware or scam exposure.

- Advertisement -

Research from Palo Alto Networks Unit 42 found 269,552 web pages infected with obfuscated JavaScript between March 26 and April 25, 2025. A single day in April saw over 50,000 compromised pages. The unsafe code relies on a method known as “JSFuck,” an approach that writes programs using only a few characters to make detection and analysis harder.

According to security researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal, the team observed that multiple sites contained malicious JavaScript using a unique technique called JSFireTruck. The injected code checks if visitors arrive from search engines like Google, Bing, DuckDuckGo, Yahoo!, or AOL. If they do, it redirects them to malicious websites that can deliver malware, exploit kits, or fraudulent ads. “The code’s obfuscation hides its true purpose, hindering analysis,” the authors explained. The widespread infections suggest a coordinated effort to use real websites as tools for further attacks.

The report also highlights the emergence of “HelloTDS,” a Traffic Distribution Service that picks which scam to show a victim based on their device details. Gen Digital described how HelloTDS delivers fake CAPTCHA puzzles, tech support scams, bogus browser upgrades, and cryptocurrency fraud using JavaScript code hosted on remote sites. Victims are screened using information such as their location, IP address, and browser behavior. If the user does not match specific attack conditions, the code sends them to safe content instead.

Researchers Vojtěch Krejsa and Milan Špinka noted that attackers often disguise their activity on streaming sites, file-sharing platforms, or through malicious ads. Some schemes use trick questions to get users to run harmful software, like PEAKLIGHT, which is known for stealing sensitive information.

The infrastructure supporting HelloTDS mainly uses generic top-level domains such as .top, .shop, and .com to host harmful code. The campaigns incorporate advanced tactics such as browser fingerprinting and switching domains to avoid detection, making it harder for security tools to block attacks.

For more, see the original analysis by Palo Alto Networks Unit 42 here and Gen Digital‘s details on HelloTDS here. Information on the JSFuck technique can be found at this resource.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

Prosecutors Weigh Charges Against Dragonfly Capital Over Tornado Cash

Prosecutors in New York said they may file criminal charges against employees at Dragonfly...

US, UK Employees Risk Data Leaks Using Chinese GenAI Tools, Study Finds

Employee use of Chinese generative AI tools in the US and UK is widespread...

Chris Larsen Sells $175M XRP, Sparks Centralization Concerns

Chris Larsen, Ripple's co-founder, transferred $175 million in XRP during a recent price rally,...

GENIUS Act Spurs Debate Over Stablecoin Redemption and Run Risks

The U.S. GENIUS Act on stablecoins has raised concerns about the safety and redemption...

FTSE 100 Breaks Out, London Stocks Rally Toward 10,000 Mark

The FTSE 100 index has recently surpassed the 9,000-point mark, indicating a new period...

Must Read

How to Buy VPN With Bitcoin Using CyberGhost VPN

In this step-by-step guide, you will learn how to purchase a VPN (Virtual Private Network) subscription using Bitcoin, a popular cryptocurrency, and CyberGhost VPN,...