Malicious JavaScript Campaign Compromises 150,000 Websites to Promote Gambling Platforms

By /

Listen to this Post

A major cyberattack campaign that uses malicious JavaScript injections to redirect visitors to Chinese-language gambling platforms has reached alarming levels, compromising nearly 150,000 websites. This sophisticated attack involves hijacking legitimate websites and injecting JavaScript code that redirects users to harmful gambling sites. The continuous evolution of this campaign highlights the increasing complexity of modern cyberattacks.

The Scope and Technique of the Attack

A recent analysis by security researcher Himanshu Anand revealed that this attack, which exploits legitimate websites, involves the use of malicious JavaScript designed to redirect visitors to gambling websites. The injected code appears on over 135,800 sites, with the number continuing to rise. The threat actor behind this attack relies on an iframe injection technique, which displays a fullscreen overlay on a user’s browser, hiding the original web content and showing a gambling platform instead.

The malicious payload is hosted on five different domains, including one identified as “zuizhongyj[.]com,” which serves the redirect script. A further variant of this attack involves injecting scripts and iframe elements into legitimate betting website templates, such as Bet365. These elements use official logos and branding to deceive users into thinking they are visiting a trusted site. Once a user lands on an infected website, the redirect occurs, hijacking their browser to display a gambling landing page.

Rise of Client-Side Attacks

Anand notes that this attack is an example of a larger trend where threat actors continue to refine their tactics, using increasingly sophisticated layers of obfuscation to evade detection. The use of client-side attacks—those that exploit vulnerabilities in the user’s browser—is on the rise, as attackers leverage these methods to reach millions of users. This particular attack showcases how threat actors are consistently adapting and increasing their reach, making it harder for defenders to stay ahead.

Comparison with Other Malware Campaigns

This incident comes on the heels of another long-running malware campaign known as DollyWay World Domination, which has been targeting websites globally since 2016. According to GoDaddy, over 20,000 websites have been affected, with a notable surge in attacks on WordPress sites. The DollyWay operation employs sophisticated redirect scripts that use a distributed network of Traffic Direction System (TDS) nodes hosted on compromised websites.

This malware uses techniques like domain generation algorithms and DNS manipulation to serve malware and scam content across vast networks. The attackers inject scripts into WordPress sites, which then redirect users to scam pages hosted by the VexTrio cybercriminal affiliate network. Like the gambling promotion campaign, DollyWay relies on a complex infrastructure, including compromised plugins and traffic broker networks, to monetize its attacks.

What Undercode Says:

The continuing surge in attacks like the gambling promotion campaign and DollyWay highlights a growing concern in the cybersecurity community—threat actors are becoming increasingly efficient at targeting websites through both server-side and client-side vulnerabilities. These campaigns share a common theme: they leverage popular platforms, such as WordPress, and trust elements like official logos and familiar site designs to deceive users.

One key insight is the sophistication with which these campaigns operate. Both campaigns use distributed networks to target millions of visitors while avoiding detection. The gambling promotion attack, for example, employs a simple yet effective iframe injection that quickly displays a fullscreen overlay on the victim’s browser. This technique, while not new, is constantly evolving, making it harder to detect and mitigate.

Another important aspect is the increasing use of traffic direction systems and traffic broker networks. These systems allow cybercriminals to scale their attacks and target vast swaths of the internet, redirecting traffic to various malicious websites. As a result, millions of users may unknowingly fall victim to these scams, unaware of the hijacking occurring in the background.

The DollyWay malware campaign further demonstrates the level of adaptability exhibited by cybercriminals. Despite facing disruptions, such as the loss of command-and-control servers and changes to their traffic monetization techniques, these actors continue to evolve their tactics. The ability to quickly transition to new infrastructure and monetization methods signals that these campaigns will likely persist for the foreseeable future.

Lastly, both attacks underscore the importance of proactive cybersecurity measures. For website owners, maintaining up-to-date software, using robust security plugins, and regularly scanning for vulnerabilities is essential to preventing such attacks. Users also need to be vigilant about the sites they visit and the links they click to avoid falling prey to these types of attacks.

Fact Checker Results:

  1. The campaign has indeed infected over 150,000 sites, with a large proportion of these being compromised through malicious JavaScript injections.
  2. The iframe injection technique and use of fullscreen overlays are consistent with other types of redirection-based attacks seen in the past.

3. The DollyWay

References:

Reported By: https://thehackernews.com/2025/03/150000-sites-compromised-by-javascript.html
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: