Large-scale cyber campaign has compromised approximately 150,000 websites by injecting malicious JavaScript
A large-scale cyber campaign has compromised approximately 150,000 websites by injecting malicious JavaScript to promote Chinese-language gambling platforms.
Security analyst Himanshu Anand from c/side reports that while the attackers have slightly modified their interface, they continue to use iframe injections to create a full-screen overlay in visitors’ browsers. As of now, PublicWWW statistics indicate that over 135,800 sites contain this JavaScript payload.
This campaign works by infecting websites with JavaScript designed to hijack user browser sessions, redirecting visitors to gambling sites. The redirections are facilitated through JavaScript hosted on multiple domains, such as "zuizhongyj[.]com," which serve the main payload responsible for these redirects.
Additionally, another variation of the attack involves injecting scripts and iframe elements into HTML pages to mimic well-known betting websites like Bet365, utilizing official logos and branding. The ultimate objective is to overlay a fullscreen gambling page on top of legitimate site content using CSS.
Anand highlights how this attack exemplifies the evolving tactics of cybercriminals, who continuously expand their reach and employ new obfuscation methods. He also notes the increasing prevalence of client-side attacks, with new discoveries surfacing daily.
Meanwhile, GoDaddy has disclosed details of a separate malware campaign called DollyWay World Domination, which has infected over 20,000 websites worldwide since 2016. As of February 2025, more than 10,000 unique WordPress sites have been affected.
This malware primarily targets visitors of compromised WordPress sites through injected redirect scripts, utilizing a distributed Traffic Direction System (TDS) hosted on hacked websites. Security researcher Denis Sinegubko explains that these scripts redirect users to scam pages via traffic broker networks, including VexTrio, a major cybercriminal affiliate network known for sophisticated DNS techniques and domain generation algorithms.
The attack begins with a dynamically generated script injected into WordPress sites, leading visitors to VexTrio or LosPollos links. Additionally, attackers leverage ad networks like PropellerAds to monetize traffic. Server-side injections are implemented using PHP code placed in active plugins while simultaneously disabling security features, removing malicious admin accounts, and stealing legitimate credentials.
GoDaddy's findings indicate that the DollyWay TDS relies on a vast network of compromised WordPress sites as both TDS and command-and-control (C2) nodes, generating 9-10 million page impressions per month. Furthermore, redirect URLs linked to VexTrio originate from the LosPollos traffic broker network.
In November 2024, the DollyWay operators reportedly removed several C2/TDS servers, shifting their TDS script to obtain redirect URLs from a Telegram channel named "trafficredirect." Sinegubko describes the severance of ties between DollyWay and LosPollos as a critical moment in the campaign. While the operators have swiftly adapted to new traffic monetization strategies, the abrupt infrastructure changes and partial service disruptions indicate a tangible impact on their operations.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
