A widespread malware campaign has compromised over 269,000 websites in just one month, with attackers injecting obfuscated JavaScript code nicknamed JSFireTruck into legitimate web pages to redirect unsuspecting visitors to malicious destinations.
Cybersecurity researchers from Palo Alto Networks’ Unit 42 revealed that between March 26 and April 25, 2025, a total of 269,552 web pages were found infected with this malicious code. The campaign peaked on April 12, when over 50,000 infections were recorded in a single day.
What Is JSFireTruck?
JSFireTruck is a form of JavaScript obfuscation using JSFuck, a programming technique that relies solely on limited characters like [, ], +, $, {, and }. The obfuscation makes it harder for analysts to detect the script’s actual function.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
The malicious code inspects the document.referrer value to determine whether a visitor originated from major search engines such as Google, Bing, DuckDuckGo, Yahoo!, or AOL. If so, the script redirects users to malicious domains hosting malware, exploits, tech support scams, and traffic monetization tools.
“This scale and stealth pose a significant threat,” researchers noted. “It highlights a coordinated effort to weaponize legitimate websites for broader malicious activities.”
HelloTDS: The TDS Powering Fake CAPTCHAs and Browser Scams
The rise in JSFireTruck infections coincides with another threat HelloTDS, a sophisticated Traffic Distribution System (TDS) recently documented by researchers at Gen Digital.
HelloTDS injects remotely hosted JavaScript into compromised sites, redirecting users to fake CAPTCHA pages, tech support scams, fake browser updates, and even cryptocurrency fraud portals. It uses advanced fingerprinting techniques to determine whether a visitor should be targeted or redirected to a harmless page.
Key evaluation criteria include IP address, browser type, VPN usage, and geolocation. Attempts by researchers using headless browsers or VPNs are often detected and excluded from the attack chain.
PEAKLIGHT Malware and ClickFix Deception Tactics
HelloTDS campaigns also involve ClickFix-based fake CAPTCHA pages, which deceive users into executing JavaScript, unknowingly installing PEAKLIGHT malware. This loader is linked to stealer malware families like Lumma, known for harvesting credentials, browser data, and crypto wallets.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
The backend domains behind HelloTDS often use .top, .shop, and .com top-level domains to dynamically load malicious scripts and evade detection.
“By combining selective targeting, dynamic infrastructure, and deceptive design, attackers behind HelloTDS demonstrate how scalable and evasive modern web threats have become,” the researchers warned.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing.