Cybersecurity researchers are calling attention to a “large-scale campaign” that has been observed compromising legitimate websites with malicious JavaScript injections.
According to Palo Alto Networks Unit 42, these malicious injects are obfuscated using JSFuck, which refers to an “esoteric and educational programming style” that uses only a limited set of characters to write and execute code.
The cybersecurity company has given the technique an alternate name JSFireTruck owing to the profanity involved.
“Multiple websites have been identified with injected malicious JavaScript that uses JSFireTruck obfuscation, which is composed primarily of the symbols [, ], +, $, {, and },” security researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal said. “The code’s obfuscation hides its true purpose, hindering analysis.”
Further analysis has determined that the injected code is designed to check the website referrer (“document.referrer“), which identifies the address of the web page from which a request originated.
Should the referrer be a search engine such as Google, Bing, DuckDuckGo, Yahoo!, or AOL, the JavaScript code redirects victims to malicious URLs that can deliver malware, exploits, traffic monetization, and malvertising.
Unit 42 said its telemetry uncovered 269,552 web pages that have been infected with JavaScript code using the JSFireTruck technique between March 26 and April 25, 2025. A spike in the campaign was first recorded on April 12, when over 50,000 infected web pages were recorded in a single day.
“The campaign’s scale and stealth pose a significant threat,” the researchers said. “The widespread nature of these infections suggests a coordinated effort to compromise legitimate websites as attack vectors for further malicious activities.”
Say Hello to HelloTDS
The development comes as Gen Digital took the wraps off a sophisticated Traffic Distribution Service (TDS) called HelloTDS that’s designed to conditionally redirect site visitors to fake CAPTCHA pages, tech support scams, fake browser updates, unwanted browser extensions, and cryptocurrency scams through remotely-hosted JavaScript code injected into the sites.
The primary objective of the TDS is to act as a gateway, determining the exact nature of content to be delivered to the victims after fingerprinting their devices. If the user is not deemed a suitable target, the victim is redirected to a benign web page.
“The campaign entry points are infected or otherwise attacker-controlled streaming websites, file sharing services, as well as malvertising campaigns,” researchers Vojtěch Krejsa and Milan Špinka said in a report published this month.
“Victims are evaluated based on geolocation, IP address, and browser fingerprinting; for example, connections through VPNs or headless browsers are detected and rejected.”
Some of these attack chains have been found to serve bogus CAPTCHA pages that leverage the ClickFix strategy to trick users into running malicious code and infecting their machines with a malware known as PEAKLIGHT (aka Emmenhtal Loader), which is known to server information stealers like Lumma.
Central to the HelloTDS infrastructure is the use of .top, .shop, and .com top-level domains that are used to host the JavaScript code and trigger the redirections following a multi-stage fingerprinting process engineered to collect network and browser information.
“The HelloTDS infrastructure behind fake CAPTCHA campaigns demonstrates how attackers continue to refine their methods to bypass traditional protections, evade detection, and selectively target victims,” the researchers said.
“By leveraging sophisticated fingerprinting, dynamic domain infrastructure, and deception tactics (such as mimicking legitimate websites and serving benign content to researchers) these campaigns achieve both stealth and scale.”
