A large-scale cyber campaign has compromised over 150,000 legitimate websites by injecting malicious JavaScript to redirect visitors to Chinese-language gambling platforms.
The attack, first detected in February 2025 with 35,000 infected sites, has since expanded significantly, leveraging obfuscated scripts and iframe injections to hijack browsers.
How the Attack Works
The threat actors inject obfuscated JavaScript, often encoded using HTML entities or hexadecimal, to evade detection.
The script checks the webpage’s title for gambling-related keywords (e.g., “Bet365” or Chinese terms like “太阳城”) and, upon a match, loads a full-screen overlay via an iframe.
According to the Report, this overlay mimics legitimate betting sites, complete with branding, to deceive users.
The payload is hosted on domains like zuizhongyj[.]com, which serve as intermediaries for redirects to gambling platforms such as W88in[.]com or lucky298[.]com.
Targets and Tactics
The campaign primarily targets Chinese-speaking users in China, Hong Kong, and the U.S., with some domains blocking non-target regions to avoid scrutiny.
Researchers attribute the attack to actors linked to the Megalayer exploit, known for distributing Chinese malware.
The use of client-side obfuscation including dynamically inserted viewport tags for mobile compatibility highlights the attackers’ adaptability.
Security firm c/side recommends auditing website scripts for hidden encodings, blocking malicious domains, and enforcing strict Content Security Policies (CSP).
PublicWWW data shows over 135,800 active infections, underscoring the campaign’s reach.
The incident reflects a broader trend of cybercriminals exploiting third-party scripts to monetize traffic illicitly.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
