Massive JavaScript Injection Campaign Hijacks 150,000 Sites to Promote Chinese Gambling Platforms

A large-scale cyber campaign has compromised nearly 150,000 websites by injecting malicious JavaScript, redirecting visitors to Chinese-language gambling platforms.

  Asia Cyber affairs News   Mar 28, 2025  Add to Reading List
Massive JavaScript Injection Campaign Hijacks 150,000 Sites to Promote Chinese Gambling Platforms

A large-scale cyber campaign has compromised nearly 150,000 websites by injecting malicious JavaScript, redirecting visitors to Chinese-language gambling platforms.

JavaScript Injection Expands Across Thousands of Websites

According to c/side security analyst Himanshu Anand, the attackers have slightly altered their tactics but continue to rely on iframe injections to display full-screen overlays that hijack the victim's browser session.

Current statistics from PublicWWW reveal that over 135,800 sites still contain the JavaScript payload responsible for these unauthorized redirections.

The attack mechanism involves:

  • Injecting malicious JavaScript into websites.

  • Redirecting site visitors to gambling pages hosted on five different domains (e.g., "zuizhongyj[.]com").

  • Deploying fake overlays impersonating well-known betting platforms such as Bet365, complete with official branding and logos.

Client-Side Attacks on the Rise

Anand warns that client-side attacks are becoming more sophisticated and frequent, with cybercriminals continuously expanding their reach and refining obfuscation techniques.

GoDaddy Uncovers Long-Running WordPress Exploits

In a related discovery, GoDaddy has exposed a separate malware campaign named DollyWay World Domination, which has been active since 2016 and has compromised over 20,000 websites globally.

As of February 2025, this operation has infected more than 10,000 unique WordPress sites, using injected redirect scripts to funnel visitors through traffic broker networks linked to VexTrio, a notorious cybercriminal affiliate network.

The attack strategy includes:

  • Dynamically generated scripts that redirect traffic to scam pages.

  • Exploiting WordPress plugins by injecting malicious PHP code to maintain control.

  • Disabling security plugins and stealing admin credentials to ensure long-term persistence.

Shifting Tactics and Infrastructure Disruptions

Around November 2024, DollyWay’s command-and-control (C2) infrastructure underwent major disruptions, with attackers deleting several TDS (Traffic Direction System) servers. The redirect URLs are now being sourced from a Telegram channel named "trafficredirect", signaling an effort to adapt their operations despite setbacks.

GoDaddy researchers believe that the disruption of DollyWay’s relationship with the LosPollos network has significantly impacted the operation, though cybercriminals continue seeking alternative traffic monetization methods.

Conclusion: Ongoing Threats Demand Vigilance

These findings highlight how cybercriminals continuously evolve their techniques, reinforcing the need for website administrators to implement robust security measures to prevent JavaScript and PHP-based injections.