Cybersecurity researchers are paying attention to “large campaigns” that undermine legitimate websites with malicious JavaScript injections.
According to Palo Alto Networks Unit 42, these malicious injections are obfuscated using JSFuck. This refers to an “exorable and educational programming style” in which code is written and executed using only a limited set of characters.
Cybersecurity companies have given the technique an alternative name for JSFiretruck for blasphemy to be involved.
“Several websites have been identified in injected malicious JavaScript that uses JSFiretruck obfuscation, which consists primarily of symbols (,), +, $, {, and },” said security researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal. “Obfuscation of code hides its true purpose and prevents analysis.”
Further analysis determined that the injection code was designed to check the website referrer (“Document.Referrer”) which identifies the address of the web page on which the request occurred.
Referers are Google, Bing, Duckduckgo, Yahoo! , or if it’s a search engine like AOL, JavaScript code will redirect victims to malicious URLs that can provide malware, exploits, traffic monetization, and fraud.
Unit 42 said 269,552 web pages were discovered that were infected with JavaScript code using the JSFiretruck technique between March 26th and April 25th, 2025. The campaign surge was recorded on April 12, when over 50,000 infected web pages were recorded in one day.
“The size and stealth of the campaign pose a huge threat,” the researcher said. “The broad nature of these infections suggests coordinated efforts to compromise legitimate websites as an attack vector for further malicious activities.”
Say hellotds
Development is underway as Gen Digital has removed site visitors from fake Captcha pages, technical support scams, fake browser updates, unnecessary browser extensions, and sophisticated traffic delivery service (TDS), called HellotDS, designed to start a site using the site to start a site with fake Captcha pages, technical support scams, fake browser updates, unnecessary browser extensions, and Cryptocurrency Scams via rimmed JavaScript code.
The main purpose of TDS is to act as a gateway and determine the exact nature of content delivered to the victim after fingerprinting the device. If the user is not considered the appropriate target, the victim will be redirected to a benign web page.
“The campaign entry points are fraudulent or attacker-controlled streaming websites, file sharing services, and campaigns,” researchers Vojtěch Krejsa and Milan Sipinka said in a report released this month.
“Victims are evaluated based on geographical, IP address, and browser fingerprints. For example, connections via a VPN or headless browser will be detected and rejected.”
Some of these attack chains are known to leverage Clickfix strategies to trick users into running malicious code and provide fake Captcha pages that infect machines with malware known as Peaklight (aka Emmenhtal Loader), known to server information steelers like Lumma.
The heart of the HelloTDS infrastructure is the use of top-level domains of .top, .shop, and .com, which are used to host JavaScript code and trigger redirects following a multi-stage fingering process designed to collect network and browser information.
“The Hellotds infrastructure behind the fake Captcha campaign shows that attackers continue to improve the way in which they circumvent traditional protections, avoid detection, and selectively target victims,” the researchers said.
“By leveraging sophisticated fingerprints, dynamic domain infrastructure, and deception tactics (such as mimicking legitimate websites and providing benign content to researchers), these campaigns achieve both stealth and scale.”
