![Apple Shares Teaser Trailer for 'The Lost Bus' Starring Matthew McConaughey [Video]](https://www.iclarified.com/images/news/97582/97582/97582-640.jpg)
![Google updates Pixel Magnifier with real-time text search [U]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2023/10/pixel-magnifier-app-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
_Marek_Uliasz_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Top Features of Vision-Based Workplace Safety Tools [2025]](https://static.wixstatic.com/media/379e66_7e75a4bcefe14e4fbc100abdff83bed3~mv2.jpg/v1/fit/w_1000,h_884,al_c,q_80/file.png?#)
![How to Use AI as a Productivity Tool with Mike Kaput [MAICON 2025 Speaker Series]](https://www.marketingaiinstitute.com/hubfs/v2MAICON-Speaker_Series.png)
![[The AI Show Episode 152]: ChatGPT Connectors, AI-Human Relationships, New AI Job Data, OpenAI Court-Ordered to Keep ChatGPT Logs & WPP’s Large Marketing Model](https://www.marketingaiinstitute.com/hubfs/ep%20152%20cover.png)
![[DEALS] Microsoft Visual Studio Professional 2022 + The Premium Learn to Code Certification Bundle (97% off) & Other Deals Up To 98% Off](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
-35-45-screenshot.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
-30-7-screenshot_0FxoE4J.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
Threat Actors Compromise 270+ Legitimate Websites With Malicious JavaScript Using JSFireTruck Obfuscation
Cybersecurity researchers have uncovered a sophisticated malware campaign that leveraged an advanced JavaScript obfuscation technique to compromise hundreds of legitimate websites and redirect unsuspecting visitors to malicious content. The campaign, which infected over 269,000 webpages between March and April 2025, employed a variant of the JSFireTruck obfuscation method to conceal malicious code within seemingly innocuous […] The post Threat Actors Compromise 270+ Legitimate Websites With Malicious JavaScript Using JSFireTruck Obfuscation appeared first on Cyber Security News.
Cybersecurity researchers have uncovered a sophisticated malware campaign that leveraged an advanced JavaScript obfuscation technique to compromise hundreds of legitimate websites and redirect unsuspecting visitors to malicious content.
The campaign, which infected over 269,000 webpages between March and April 2025, employed a variant of the JSFireTruck obfuscation method to conceal malicious code within seemingly innocuous website elements.
The attack campaign demonstrated remarkable persistence and scale, with threat actors successfully injecting obfuscated JavaScript code into legitimate websites to create a vast network of compromised platforms.
The malicious scripts were designed to detect visitors arriving from popular search engines and subsequently redirect them to fraudulent content, including fake download pages and phishing sites.
The campaign showed a notable spike in activity starting April 12, 2025, indicating a coordinated effort to maximize the impact of the malicious infrastructure.
Palo Alto Networks analysts identified this campaign through their telemetry systems, which detected the widespread use of JSFireTruck obfuscation across infected websites.
The researchers noted that this technique represents an evolution of earlier JavaScript obfuscation methods, utilizing only six ASCII characters to create complex malicious code that evades traditional security detection mechanisms.
The JSFireTruck obfuscation technique employed in this campaign builds upon the earlier JJEncode method, originally developed in 2009, but significantly reduces the character set required for obfuscation.
,%20!,%20+%20and%20numbers%20(Source%20-%20Palo%20Alto%20Networks).webp)
While JJEncode utilized 18 different ASCII characters, JSFireTruck accomplishes the same obfuscation using only six symbols: [, ], (, ), !, and +[1]. This reduction makes the obfuscated code more difficult to detect through pattern-based security systems while maintaining full functionality.
The malicious code injection process begins with threat actors compromising legitimate websites and inserting obfuscated JavaScript into HTML pages.
A typical injection appears as a seemingly random string of characters, such as the example found in infected sites: $=String.fromCharCode(118,61,119,46,104,112,40,39,35,41,49,59,10,82,109,120...).
.webp)
This code snippet demonstrates the multi-layered obfuscation approach, combining JSFireTruck with additional encoding techniques to further obscure the malicious payload.
Advanced Obfuscation Mechanism and Payload Delivery
The technical sophistication of this campaign lies in its exploitation of JavaScript’s type coercion feature to generate meaningful code from seemingly meaningless character combinations.
The obfuscation technique leverages JavaScript’s automatic type conversion to transform the limited character set into functional code.
For instance, the expression +[] converts to the numeric value zero, while +!![] generates the number one through boolean manipulation and type coercion.
The malicious script employs a sophisticated detection mechanism to identify visitors arriving from search engines before executing its payload.
The decoded JavaScript contains referrer checking code that specifically targets traffic from Google, Bing, DuckDuckGo, Yahoo, and AOL search engines.
When such traffic is detected, the script dynamically creates an iframe element that covers the entire browser window, effectively hijacking the user’s browsing session.
.webp)
The payload delivery mechanism involves injecting iframe code with specific CSS properties designed to completely overlay the legitimate website content.
The injected iframe utilizes z-index: 30000, width: 100%, height: 100%, and positioning attributes left: 0; top: 0 to create a full-screen overlay that prevents users from interacting with the original website content.
This technique enables the threat actors to redirect victims to malicious domains hosting fake software downloads, phishing pages, and other fraudulent content while maintaining the appearance of visiting a legitimate website.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
The post Threat Actors Compromise 270+ Legitimate Websites With Malicious JavaScript Using JSFireTruck Obfuscation appeared first on Cyber Security News.
