A large-scale campaign has infected over 269,000 websites with JavaScript malware known as JSFireTruck between late March and late April 2025.

On April 12, 2025, a significant spike was recorded, with over 50,000 infected pages identified in a single day, highlighting the campaign's rapid spread.

This campaign illustrates the evolving tactics of cybercriminals, who refine their methods to evade detection while selectively targeting victims, achieving both stealth and scale.

Researchers from Palo Alto Networks Unit 42 warn that the campaign poses a serious threat due to its scale and stealth, indicating a coordinated effort to exploit legitimate websites.

JSFireTruck employs a unique obfuscation technique that reduces the number of ASCII characters used to just six symbols, complicating analysis and detection.

Although the obfuscation method effectively hides malicious intent, it results in lengthy code that can still be detected.

The injected scripts often include additional layers of obfuscation, such as the String.fromCharCode function, to further conceal their malicious actions.

The malicious JavaScript checks the website referrer; if it detects traffic from search engines like Google or Bing, it redirects users to harmful URLs.

Website administrators are advised to keep servers updated and analyze for signs of compromise, while Palo Alto Networks offers protections through products like Advanced WildFire and URL Filtering.

Decoded scripts reveal that they check for referrers from search engines and inject iframes leading to malicious domains, effectively covering legitimate content with harmful overlays.

HelloTDS, a component of this campaign, targets victims by evaluating their geolocation, IP address, and browser fingerprint, filtering out connections from VPNs or headless browsers.

Some attack chains utilize bogus CAPTCHA pages to trick users into executing malicious code, leading to infections such as PEAKLIGHT, which can steal sensitive information.