A recent malware campaign has compromised over 35,000 websites, injecting malicious scripts that redirect users to Chinese-language gambling platforms.
The attack employs sophisticated techniques to hijack browsers, replacing legitimate content with full-page advertisements for a gambling brand known as “Kaiyun.”
Security researchers have identified this campaign as one of the largest of its kind in recent years.
Technical Details of the Attack
The infection begins with the insertion of a single-line JavaScript tag into the source code of targeted websites.
This script references domains such as zuizhongjs[.]com and mlbetjs[.]com, which collectively account for tens of thousands of infected sites.
Once activated, the script loads additional obfuscated code that writes new script elements into the page.
These scripts are designed to fetch the primary payload from malicious domains.
The payload includes functions to detect user devices and tailor the attack accordingly.
For instance, it identifies mobile devices using functions like isMobile() and adjusts its behavior based on the operating system.
A random delay of 500–1000 milliseconds is introduced to evade automated detection systems.
Ultimately, the code injects an iframe that covers the entire screen, redirecting users to gambling-related pages.
Researchers have identified several domains associated with this campaign:
- mlbetjs[.]com (18,000+ infected websites)
- ptfafajs[.]com (9,000+ infected websites)
- zuizhongjs[.]com (4,800+ infected websites)
- jbwzzzjs[.]com (2,900+ infected websites)
These domains serve as hubs for distributing malicious scripts and redirecting traffic to fraudulent gambling platforms.
Potential Links to Megalayer Exploits
The campaign exhibits characteristics reminiscent of the Megalayer exploit, a known vector for distributing Chinese-language malware.
The use of Mandarin text, specific domain patterns, and advanced obfuscation techniques suggests a connection to organized threat actors targeting Mandarin-speaking regions.
Website administrators are urged to take immediate action:
- Audit Source Code: Check for unauthorized
<script>tags referencing suspicious domains. - Block Malicious Domains: Use firewalls or DNS-level blocking to prevent communication with known IoCs.
- Implement Content Security Policies (CSP): Restrict script execution to trusted sources.
- Regular Scans: Employ tools like PublicWWW or URLScan to detect malicious injections.
Security vendors like c/side have already implemented real-time defenses against this attack, blocking malicious scripts and alerting affected users.
Website owners are advised to contact their security providers if they suspect an infection.
This large-scale hijacking underscores the importance of proactive security measures in safeguarding websites against evolving threats.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
