- Researchers identified a widespread campaign using obfuscated JavaScript to infect legitimate websites.
- The campaign, named “JSFireTruck,” uses an obscure coding technique to hide the real purpose of the code.
- Compromised websites redirect users coming from search engines to malicious links that may deliver Malware or scams.
- Nearly 270,000 web pages were reported infected between March and April 2025, with a major spike in mid-April.
- A separate service, HelloTDS, is used to conditionally redirect users to scams like fake browser updates and cryptocurrency frauds.
Cybersecurity experts reported a large-scale attack infecting legitimate websites with hidden JavaScript code. The campaign actively redirects users to dangerous pages if they arrive from popular search engines, increasing the risk of malware or scam exposure.
Research from Palo Alto Networks Unit 42 found 269,552 web pages infected with obfuscated JavaScript between March 26 and April 25, 2025. A single day in April saw over 50,000 compromised pages. The unsafe code relies on a method known as “JSFuck,” an approach that writes programs using only a few characters to make detection and analysis harder.
According to security researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal, the team observed that multiple sites contained malicious JavaScript using a unique technique called JSFireTruck. The injected code checks if visitors arrive from search engines like Google, Bing, DuckDuckGo, Yahoo!, or AOL. If they do, it redirects them to malicious websites that can deliver malware, exploit kits, or fraudulent ads. “The code’s obfuscation hides its true purpose, hindering analysis,” the authors explained. The widespread infections suggest a coordinated effort to use real websites as tools for further attacks.
The report also highlights the emergence of “HelloTDS,” a Traffic Distribution Service that picks which scam to show a victim based on their device details. Gen Digital described how HelloTDS delivers fake CAPTCHA puzzles, tech support scams, bogus browser upgrades, and cryptocurrency fraud using JavaScript code hosted on remote sites. Victims are screened using information such as their location, IP address, and browser behavior. If the user does not match specific attack conditions, the code sends them to safe content instead.
Researchers Vojtěch Krejsa and Milan Špinka noted that attackers often disguise their activity on streaming sites, file-sharing platforms, or through malicious ads. Some schemes use trick questions to get users to run harmful software, like PEAKLIGHT, which is known for stealing sensitive information.
The infrastructure supporting HelloTDS mainly uses generic top-level domains such as .top, .shop, and .com to host harmful code. The campaigns incorporate advanced tactics such as browser fingerprinting and switching domains to avoid detection, making it harder for security tools to block attacks.
For more, see the original analysis by Palo Alto Networks Unit 42 here and Gen Digital‘s details on HelloTDS here. Information on the JSFuck technique can be found at this resource.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Amazon, Walmart Consider Stablecoins as GENIUS Act Faces Senate Vote
- Cryptocurrency Goes Mainstream: Casinos, Payments, and Global Growth
- Bitcoin Plunges After Israel-Iran Clash, Markets Await White House Update
- CoinDesk 20 Index Falls 4.4%, No Assets in the Green Today
- Don Quijote Parent PPIH Launches Youth-Focused Digital Bond