Mass Website Hijacking Campaign Exploits JSFuck Obfuscation to Deploy Search Engine-Triggered Malware Distribution

Security experts have identified an extensive malicious operation targeting legitimate websites through the injection of concealed JavaScript code designed to compromise unsuspecting visitors.

Palo Alto Networks' Unit 42 division reports that attackers are utilizing a technique called JSFuck—an unconventional programming method that constructs JavaScript using only six basic symbols—to hide their malicious intentions. Due to the explicit nature of the original term, researchers have dubbed this approach "JSFireTruck."

"Numerous websites contain embedded hostile JavaScript utilizing JSFireTruck concealment, constructed mainly from the characters [, ], +, $, {, and }," explained security analysts Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal. "This obfuscation masks the code's actual function, making detection and analysis difficult."

Investigation reveals the injected scripts examine the "document.referrer" value to determine the source of web traffic. When visitors arrive from major search platforms including Google, Bing, DuckDuckGo, Yahoo!, or AOL, the malicious code automatically redirects them to dangerous websites hosting malware, exploits, fraudulent advertising, or traffic monetization schemes.

Unit 42's monitoring systems detected 269,552 compromised web pages utilizing the JSFireTruck method between March 26 and April 25, 2025. The campaign reached its peak on April 12, with over 50,000 infected pages discovered within 24 hours.

"This operation's magnitude and stealth capabilities represent a serious security risk," researchers noted. "The extensive scope of these infections indicates an organized attempt to weaponize trusted websites for subsequent malicious operations."

Introducing HelloTDS Infrastructure

Simultaneously, Gen Digital researchers uncovered a sophisticated Traffic Distribution Service named HelloTDS, engineered to selectively redirect website visitors to fraudulent CAPTCHA prompts, technical support scams, fake software updates, unwanted browser extensions, and cryptocurrency fraud schemes through remotely injected JavaScript.

The TDS functions as a filtering mechanism, analyzing visitor characteristics to determine appropriate malicious content delivery. Unsuitable targets are simply redirected to harmless websites.

"Campaign entry points include compromised streaming platforms, file-sharing services, and malicious advertising networks," stated researchers Vojtěch Krejsa and Milan Špinka in their recent findings.

"Targets undergo evaluation based on geographic location, IP address, and browser characteristics; connections via VPNs or automated browsers are identified and blocked."

Certain attack sequences deploy fraudulent CAPTCHA pages employing the ClickFix methodology to manipulate users into executing harmful code, ultimately infecting systems with PEAKLIGHT malware (also known as Emmenhtal Loader), which facilitates the deployment of information-stealing tools like Lumma.

The HelloTDS network relies on .top, .shop, and .com domains to host JavaScript payloads and execute redirections through a sophisticated multi-stage fingerprinting system designed to gather network and browser intelligence.

"The HelloTDS framework supporting fake CAPTCHA operations illustrates how cybercriminals continuously evolve their techniques to circumvent conventional security measures, avoid detection, and precisely target victims," researchers concluded.

"Through advanced fingerprinting capabilities, dynamic domain management, and deceptive practices—including mimicking legitimate sites and delivering harmless content to security researchers—these campaigns achieve both concealment and widespread impact."