Threat Actors Compromise 270+ Legitimate Websites With Malicious JavaScript Using JSFireTruck Obfuscation

Cybersecurity researchers have uncovered a sophisticated malware campaign that leveraged an advanced JavaScript obfuscation technique to compromise hundreds of legitimate websites and redirect unsuspecting visitors to malicious content.

The campaign, which infected over 269,000 webpages between March and April 2025, employed a variant of the JSFireTruck obfuscation method to conceal malicious code within seemingly innocuous website elements.

The attack campaign demonstrated remarkable persistence and scale, with threat actors successfully injecting obfuscated JavaScript code into legitimate websites to create a vast network of compromised platforms.

The malicious scripts were designed to detect visitors arriving from popular search engines and subsequently redirect them to fraudulent content, including fake download pages and phishing sites.

The campaign showed a notable spike in activity starting April 12, 2025, indicating a coordinated effort to maximize the impact of the malicious infrastructure.

Palo Alto Networks analysts identified this campaign through their telemetry systems, which detected the widespread use of JSFireTruck obfuscation across infected websites.

google

The researchers noted that this technique represents an evolution of earlier JavaScript obfuscation methods, utilizing only six ASCII characters to create complex malicious code that evades traditional security detection mechanisms.

The JSFireTruck obfuscation technique employed in this campaign builds upon the earlier JJEncode method, originally developed in 2009, but significantly reduces the character set required for obfuscation.

Injected code as found in the HTML page consists of only [, ], (, ), !, + and numbers (Source – Palo Alto Networks)

While JJEncode utilized 18 different ASCII characters, JSFireTruck accomplishes the same obfuscation using only six symbols: [, ], (, ), !, and +[1]. This reduction makes the obfuscated code more difficult to detect through pattern-based security systems while maintaining full functionality.

The malicious code injection process begins with threat actors compromising legitimate websites and inserting obfuscated JavaScript into HTML pages.

A typical injection appears as a seemingly random string of characters, such as the example found in infected sites: $=String.fromCharCode(118,61,119,46,104,112,40,39,35,41,49,59,10,82,109,120...).

Example of injected code starting from the String.fromCharCode function (Source – Palo Alto Networks)

This code snippet demonstrates the multi-layered obfuscation approach, combining JSFireTruck with additional encoding techniques to further obscure the malicious payload.

Advanced Obfuscation Mechanism and Payload Delivery

The technical sophistication of this campaign lies in its exploitation of JavaScript’s type coercion feature to generate meaningful code from seemingly meaningless character combinations.

The obfuscation technique leverages JavaScript’s automatic type conversion to transform the limited character set into functional code.

For instance, the expression +[] converts to the numeric value zero, while +!![] generates the number one through boolean manipulation and type coercion.

The malicious script employs a sophisticated detection mechanism to identify visitors arriving from search engines before executing its payload.

The decoded JavaScript contains referrer checking code that specifically targets traffic from Google, Bing, DuckDuckGo, Yahoo, and AOL search engines.

When such traffic is detected, the script dynamically creates an iframe element that covers the entire browser window, effectively hijacking the user’s browsing session.

Decoded JavaScript code shows the iframe code that will be injected into the HTML page (Source – Palo Alto Networks)

The payload delivery mechanism involves injecting iframe code with specific CSS properties designed to completely overlay the legitimate website content.

The injected iframe utilizes z-index: 30000, width: 100%, height: 100%, and positioning attributes left: 0; top: 0 to create a full-screen overlay that prevents users from interacting with the original website content.

This technique enables the threat actors to redirect victims to malicious domains hosting fake software downloads, phishing pages, and other fraudulent content while maintaining the appearance of visiting a legitimate website.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access

googlenews
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.