16.06.2025
2 min
689
Palo Alto Networks researchers have uncovered a global campaign that infected over a quarter of a million websites with malicious JavaScript code. A new obfuscation method called JSFireck targets users from search engines, redirecting them to pages with malware, exploits, and fake CAPTCHAs.
This attack is based on the JSFuck technique, where the code is written only using the symbols [, ], +, $, {, }. This non-standard form allows attackers to hide malicious functionality and complicates analysis.
JSFireck works if the referrer is Google, Bing, DuckDuckGo, Yahoo!, or AOL — the user is instantly redirected to a malicious page. There they are waiting for:
malware and exploits,
fraudulent browser updates,
fake tech support,
cryptocurrency scams.
The peak of infections was recorded on April 12, 2025 — more than 50,000 sites in just one day. In total, 269,552 infections were recorded during the month.
In parallel, researchers from Gen Digital discovered a new TDS platform HelloTDS, which uses JavaScript to conditionally redirect to fake CAPTCHA pages, install unwanted extensions, or run malicious scripts. HelloTDS performs full browser and geolocation tracking, analyzes IP, uses scripts on .top, .shop, .com domains, and denies access to users with VPNs or headless browsers.
The JSFireTruck and HelloTDS campaigns demonstrate a high level of automation and adaptability. Their success lies in the combination of sophisticated obfuscation, dynamic redirects, and multi-level user filtering. This once again emphasizes that classic antiviruses are powerless against sophisticated browser attacks. Protection should begin with monitoring code behavior and analyzing scripts in real time.
