A massive cyber attack has been uncovered, with over 269,000 legitimate websites compromised by malicious JavaScript code. Researchers from Palo Alto Networks’ Unit 42 found that this widespread attack started in late March 2025 and peaked on April 12 when over 50,000 infections were seen in a single day.
The malicious code is heavily obfuscated using a technique called “JSFuck,” an unconventional JavaScript programming method that uses only six characters: [, ], +, $, {, and }. Due to the characters involved, the researchers called it “JSFireTruck,” a name that reflects the chaos of the code.
Unit 42 said this obfuscation method hides the script’s true purpose, making it harder for analysts and automated tools to detect or understand what the code does.
Redirection based on visitor behavior
The injected JavaScript checks the document.referrer, which shows how the user got to the infected page. If visitors come from a search engine like Google, Bing, Yahoo!, DuckDuckGo, or AOL, they are silently redirected to malicious sites. These destinations vary, but many are used to spread malware, deliver phishing attacks, or generate revenue through malvertising.
As per Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal, this enables attackers to target organic web traffic, which is composed of individuals who are more likely to be genuine and inquisitive, rather than bots or analysts. They believe the campaign is coordinated and is using trusted websites as gateways for further malicious activities, including data theft, exploit delivery, and user tracking across multiple platforms.
HelloTDS adds another layer to the threat
Meanwhile, security experts from Gen Digital found another related threat: a sophisticated Traffic Distribution System (TDS) called HelloTDS. This injects JavaScript into infected websites and evaluates incoming visitors based on device fingerprinting, IP address, and location.
If the visitor matches the criteria, they may be redirected to fake CAPTCHA pages, fraudulent tech support alerts, deceptive browser update prompts, or phishing sites impersonating trusted services like banks or email providers.
In some cases, this leads to the download of malware, including a loader called PEAKLIGHT. PEAKLIGHT is known to deploy information stealers like Lumm, which can exfiltrate user data. But if the system detects the visitor is a security researcher, uses a VPN, or is running a headless browser, they are redirected to a benign page—part of the campaign’s attempt to avoid detection.
Security analysts Vojtěch Krejsa and Milan Špinka found that HelloTDS uses domains ending in .top, .shop, and .com to host the JavaScript payloads. This dynamic infrastructure allows the attackers to adjust their campaigns in real time and bypass traditional security filters.
More sophisticated techniques
Experts say JSFireTruck and HelloTDS are part of a bigger trend of more advanced threats. Obfuscated JavaScript, targeted redirects, and deceptive content allow these campaigns to scale and stay under the radar.
Researchers recommend regular website security audits, timely software updates, and advanced threat detection tools. As these threats get more clever, website admins and users need to stay on their toes to prevent breaches, protect user data, and maintain trust.
