CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News
//
A large-scale malware campaign, dubbed JSFireTruck, has infected over 269,000 legitimate websites by injecting malicious JavaScript code. Researchers at Palo Alto Networks Unit 42 discovered the campaign, noting the injected code utilizes JSF*ck, an obfuscation technique making detection difficult. This method leverages only six ASCII characters to create working JavaScript, obscuring the code's true purpose and hindering analysis. The obfuscated code primarily consists of the symbols [, ], +, $, {, and }, further complicating identification.
The injected JavaScript code checks the website referrer, and if a user arrives from a search engine like Google, Bing, DuckDuckGo, Yahoo!, or AOL, the code redirects them to malicious URLs. These URLs can lead to malware downloads, exploits, traffic monetization schemes, and malvertising. Unit 42's telemetry detected 269,552 web pages infected with JSFireTruck code between March 26 and April 25, 2025, highlighting the widespread impact and rapid proliferation of this campaign. A spike in the campaign was first recorded on April 12, when over 50,000 infected web pages were observed in a single day.
The campaign's scale and stealth pose a significant threat, indicating a coordinated effort to compromise legitimate websites and use them as attack vectors for further malicious activities. The use of JSF*ck further complicates analysis, requiring specialized tools for deobfuscation. Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services:Advanced WildFire, Advanced URL Filtering and Advanced DNS Security.
ImgSrc: blogger.googleu
References :
The injected JavaScript code checks the website referrer, and if a user arrives from a search engine like Google, Bing, DuckDuckGo, Yahoo!, or AOL, the code redirects them to malicious URLs. These URLs can lead to malware downloads, exploits, traffic monetization schemes, and malvertising. Unit 42's telemetry detected 269,552 web pages infected with JSFireTruck code between March 26 and April 25, 2025, highlighting the widespread impact and rapid proliferation of this campaign. A spike in the campaign was first recorded on April 12, when over 50,000 infected web pages were observed in a single day.
The campaign's scale and stealth pose a significant threat, indicating a coordinated effort to compromise legitimate websites and use them as attack vectors for further malicious activities. The use of JSF*ck further complicates analysis, requiring specialized tools for deobfuscation. Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services:Advanced WildFire, Advanced URL Filtering and Advanced DNS Security.
ImgSrc: blogger.googleu
Share:
References :
- Unit 42: JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique
- Virus Bulletin: Palo Alto Networks researchers Hardik Shah, Brad Duncan & Pranay Kumar Chhaparwal discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code.
- The Hacker News: Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
- www.scworld.com: 270K websites injected with ‘JSF-ck’ obfuscated code
Classification:
- HashTags: #JSFireTruck #JavaScript #Malware
- Company: Palo Alto Networks
- Target: Website Users
- Attacker: JSFireTruck Operators
- Feature: JSF*ck Obfuscation
- Malware: JSFireTruck
- Type: Malware
- Severity: Major