Cybersecurity researchers are raising concerns over a "large-scale campaign" that is compromising legitimate websites through the injection of malicious JavaScript code.
Palo Alto Networks' Unit 42 reports that these injections are obfuscated using JSFuck, a unique and educational programming method that uses a very limited set of characters to create functional code.
The cybersecurity team has also referred to the obfuscation method as JSFireTruck due to the use of profane language in its naming.
"Several websites have been found to contain malicious JavaScript injections using JSFireTruck obfuscation, which primarily relies on the symbols [, ], +, $, {, and }," explained researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal. "This type of obfuscation hides the actual purpose of the code, making it more difficult to analyze." Further investigation revealed that the injected code checks the website's referrer using "document.referrer" to determine the origin of the visitor's request.
If the referrer comes from a search engine like Google, Bing, DuckDuckGo, Yahoo!, or AOL, the script redirects the user to harmful websites. These destinations may deliver malware, exploit kits, monetization schemes, or malvertising.
According to Unit 42, telemetry data shows that 269,552 web pages were found to contain this kind of JavaScript injection between March 26 and April 25, 2025. A notable surge occurred on April 12, when over 50,000 infected pages were identified in a single day.
"The campaign's scale and stealth represent a serious threat," the researchers noted. "The widespread infections suggest a coordinated strategy to use legitimate websites as platforms for malicious operations."
Introducing HelloTDS
This discovery coincides with the emergence of a new Traffic Distribution Service (TDS) called HelloTDS, unveiled by Gen Digital. HelloTDS selectively redirects site visitors to various scams, including fake CAPTCHA pages, fraudulent tech support sites, fake browser updates, harmful browser extensions, and cryptocurrency scams. These redirects are powered by JavaScript hosted remotely and injected into the affected websites.
The main role of HelloTDS is to function as a filter. It decides the type of content shown to each visitor by analyzing the user's device. If a visitor is not considered a valid target, they are redirected to a harmless web page. "Entry points for this campaign include compromised or attacker-controlled streaming sites, file-sharing platforms, and malvertising campaigns," reported researchers Vojtěch Krejsa and Milan Špinka.
Visitors are evaluated using geolocation data, IP address, and browser fingerprinting. For instance, users connected through VPNs or using headless browsers are detected and filtered out.
Some attack sequences involve fake CAPTCHA pages that employ a method known as ClickFix to deceive users into executing malicious code. This leads to infections with malware such as PEAKLIGHT, also known as Emmental Loader, which in turn delivers information-stealing tools like Lumma. A core feature of HelloTDS is its use of .top, .shop, and .com domains to host JavaScript and carry out redirects through a multi-step fingerprinting process that gathers browser and network details.
"The HelloTDS network behind these fake CAPTCHA attacks highlights the evolving tactics used by cybercriminals," the researchers said. "By combining advanced fingerprinting, adaptive domain infrastructure, and convincing deception strategies such as mimicking legitimate websites and displaying safe content to analysts, these operations manage to be both stealthy and far-reaching."
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
