Over 269,000 Websites Compromised by JSFireTruck JavaScript Malware Within a Single Month

Recent investigations by cybersecurity experts highlight a significant campaign compromising legitimate websites through malicious JavaScript injections. Insights from Palo Alto Networks’ Unit 42 indicate that the injected code employs an obfuscation technique dubbed “JSFireTruck,” utilizing a limited character set characteristic of JSFuck, an esoteric programming method.

Unit 42’s researchers, including Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal, have reported that numerous websites are embedding JavaScript used with JSFireTruck obfuscation, primarily composed of special characters such as [, ], +, $, {, and }. This obfuscation conceals the code’s actual intent, complicating analysis and detection efforts.

The malicious JavaScript is engineered to assess the website referrer via the document.referrer property to identify the origin of the request. If the referrer comes from a major search engine such as Google, Bing, DuckDuckGo, Yahoo!, or AOL, the injected code redirects users to harmful URLs that can facilitate malware deployment, exploit distribution, traffic monetization, and malvertising.

Unit 42’s telemetry data unveiled that between March 26 and April 25, 2025, over 269,000 web pages were identified as being infected with JavaScript using the JSFireTruck approach, peaking with more than 50,000 infections recorded on April 12. The extensive and stealthy nature of this campaign poses a considerable security risk, reflecting a systematic endeavor to utilize compromised legitimate websites for further malicious operations.

Concurrently, Gen Digital has introduced a sophisticated Traffic Distribution Service (TDS) known as HelloTDS, which targets site visitors by redirecting them to various fraudulent outcomes, including fake CAPTCHA pages, tech support scams, errant browser updates, unwanted browser extensions, and cryptocurrency-based frauds, all managed via remotely hosted JavaScript that has been injected into affected sites.

HelloTDS operates as a gateway, effectively determining the optimal content to deliver based on thorough device fingerprinting processes. If an individual is not categorized as a prime target, they may instead be directed to an innocuous web page.

The attack vectors include compromised streaming websites, file-sharing services, and malvertising initiatives. Researchers Vojtěch Krejsa and Milan Špinka noted that victims are assessed based on geolocation, IP addresses, and browser fingerprints, with attempts through VPNs or headless browsers being identified and blocked.

Some attack sequences have been discovered to employ deceptive CAPTCHA pages, leveraging the ClickFix strategy to manipulate users into executing malicious code, thereby infecting devices with the PEAKLIGHT malware, also known as Emmenhtal Loader, which can lead to the deployment of information-stealing threats, such as Lumma.

The HelloTDS infrastructure primarily utilizes top-level domains such as .top, .shop, and .com for hosting JavaScript and handling redirections, incorporating a multi-stage fingerprinting approach to gather comprehensive network and browser data.

This nuanced architecture of the HelloTDS campaigns showcases how cybercriminals continuously refine their strategies to circumvent conventional security measures, evade detection, and target specific victims selectively. By utilizing advanced fingerprinting, dynamic domain structures, and deceptive tactics—such as imitating legitimate websites and providing benign content to security researchers—these attacks achieve both stealth and substantial scale.