Category: Cybersecurity

Jun 13, 2025Ravie LakshmananWeb Security / Network Security

Cybersecurity researchers are calling attention to a “large-scale campaign” that has been observed compromising legitimate websites with malicious JavaScript injections.

According to Palo Alto Networks Unit 42, these malicious injects are obfuscated using JSFuck, which refers to an “esoteric and educational programming style” that uses only a limited set of characters to write and execute code.

The cybersecurity company has given the technique an alternate name JSFireTruck owing to the profanity involved.

“Multiple websites have been identified with injected malicious JavaScript that uses JSFireTruck obfuscation, which is composed primarily of the symbols [, ], +, $, {, and },” security researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal said. “The code’s obfuscation hides its true purpose, hindering analysis.”

Further analysis has determined that the injected code is designed to check the website referrer (“document.referrer“), which identifies the address of the web page from which a request originated.

Should the referrer be a search engine such as Google, Bing, DuckDuckGo, Yahoo!, or AOL, the JavaScript code redirects victims to malicious URLs that can deliver malware, exploits, traffic monetization, and malvertising.

Unit 42 said its telemetry uncovered 269,552 web pages that have been infected with JavaScript code using the JSFireTruck technique between March 26 and April 25, 2025. A spike in the campaign was first recorded on April 12, when over 50,000 infected web pages were observed in a single day.

“The campaign’s scale and stealth pose a significant threat,” the researchers said. “The widespread nature of these infections suggests a coordinated effort to compromise legitimate websites as attack vectors for further malicious activities.”

Say Hello to HelloTDS

The development comes as Gen Digital took the wraps off a sophisticated Traffic Distribution Service (TDS) called HelloTDS that’s designed to conditionally redirect site visitors to fake CAPTCHA pages, tech support scams, fake browser updates, unwanted browser extensions, and cryptocurrency scams through remotely-hosted JavaScript code injected into the sites.

The primary objective of the TDS is to act as a gateway, determining the exact nature of content to be delivered to the victims after fingerprinting their devices. If the user is not deemed a suitable target, the victim is redirected to a benign web page.

“The campaign entry points are infected or otherwise attacker-controlled streaming websites, file sharing services, as well as malvertising campaigns,” researchers Vojtěch Krejsa and Milan Špinka said in a report published this month.

“Victims are evaluated based on geolocation, IP address, and browser fingerprinting; for example, connections through VPNs or headless browsers are detected and rejected.”

Some of these attack chains have been found to serve bogus CAPTCHA pages that leverage the ClickFix strategy to trick users into running malicious code and infecting their machines with a malware known as PEAKLIGHT (aka Emmenhtal Loader), which is known to server information stealers like Lumma.

Central to the HelloTDS infrastructure is the use of .top, .shop, and .com top-level domains that are used to host the JavaScript code and trigger the redirections following a multi-stage fingerprinting process engineered to collect network and browser information.

“The HelloTDS infrastructure behind fake CAPTCHA campaigns demonstrates how attackers continue to refine their methods to bypass traditional protections, evade detection, and selectively target victims,” the researchers said.

“By leveraging sophisticated fingerprinting, dynamic domain infrastructure, and deception tactics (such as mimicking legitimate websites and serving benign content to researchers) these campaigns achieve both stealth and scale.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday disclosed that ransomware actors are targeting unpatched SimpleHelp Remote Monitoring and Management (RMM) instances to compromise customers of an unnamed utility billing software provider.

“This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025,” the agency said in an advisory.

Earlier this year, SimpleHelp disclosed a set of flaws (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could result in information disclosure, privilege escalation, and remote code execution.

The vulnerabilities have since come under repeated exploitation in the wild, including by ransomware groups like DragonForce, to breach targets of interest. Last month, Sophos revealed that a Managed Service Provider’s SimpleHelp deployed was accessed by the threat actor using these flaws, and then leveraged it to pivot to other downstream customers.

CISA said that SimpleHelp versions 5.5.7 and earlier contain multiple vulnerabilities, including CVE-2024-57727, and that the ransomware crews are exploiting it to access downstream customers’ unpatched SimpleHelp instances for double extortion attacks.

The agency has outlined the below mitigations that organizations, including third-party service providers that make use of SimpleHelp to connect to downstream customers, can implement to better respond to the ransomware activity –

• Identify and isolate SimpleHelp server instances from the internet and update them to the latest version
• Notify downstream customers and instruct them to take actions to secure their endpoints
• Conduct threat hunting actions for indicators of compromise and monitor for unusual inbound and outbound traffic from the SimpleHelp server (for downstream customers)
• Disconnect affected systems from the internet if they have been encrypted by ransomware, reinstall the operating system, and restore data from a clean backup
• Maintain periodic clean, offline backups
• Refrain from exposing remote services such as Remote Desktop Protocol (RDP) on the web

CISA said it does not encourage victims to pay ransoms as there is no guarantee that the decryptor provided by the threat actors will help recover the files.

“Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” CISA added.

Fog Ransomware Attack Deploys Employee Monitoring Software

The development comes as Broadcom-owned Symantec detailed a Fog ransomware attack targeting an unnamed financial institution in Asia with a combination of dual-use and open-source pentesting tools not observed in other ransomware-related intrusions.

Fog is a ransomware variant first detected in May 2024. Like other ransomware operations, the financially motivated crew employs compromised virtual private network (VPN) credentials and system vulnerabilities to gain access to an organization’s network and encrypt data, but not before exfiltrating it.

Alternate infection sequences have employed Windows shortcut (LNK) files contained within ZIP archives, which are then distributed via email and phishing attacks. Executing the LNK file leads to the download of a PowerShell script that’s responsible for dropping a ransomware loader containing the Fog locker payload.

The attacks are also characterized by the use of advanced techniques to escalate privileges and evade detection by deploying malicious code directly in memory and disabling security tools. Fog is capable of targeting both Windows and Linux endpoints.

According to Trend Micro, as of April 2025, the Fog threat actors have claimed 100 victims on its data leak site since the start of the year, with a majority of the victims associated with technology, education, manufacturing, and transportation sectors.

“The attackers used a legitimate employee monitoring software called Syteca (formerly Ekran), which is highly unusual,” Symantec said. “They also deployed several open-source pen-testing tools – GC2, Adaptix, and Stowaway – which are not commonly used during ransomware attacks.”

While the exact initial access vector used in the incident is unknown, the threat actors have been found to use Stowaway, a proxy tool widely used by Chinese hacking groups, to deliver Syteca. It’s worth noting that GC2 has been used in attacks carried out by the Chinese state-sponsored hacking group APT41 in 2023.

Also downloaded were legitimate programs like 7-Zip, Freefilesync, and MegaSync to create compressed data archives for data exfiltration.

Another interesting aspect of the attacks is that the attackers created a service to establish persistence on the network, several days after the ransomware was deployed. The threat actors are said to have spent about two weeks before dropping the ransomware.

“This is an unusual step to see in a ransomware attack, with malicious activity usually ceasing on a network once the attackers have exfiltrated data and deployed the ransomware, but the attackers in this incident appeared to wish to retain access to the victim’s network,” Symantec and Carbon Black researchers said.

The uncommon tactics have raised the possibility that the company may have been targeted for espionage reasons, and that the threat actors deployed the Fog ransomware either as a distraction to mask their true goals or to make some quick money on the side.

LockBit Panel Leak Reveals China Among Most Targeted

The findings also coincide with revelations that the LockBit ransomware-as-a-service (RaaS) scheme netted around $2.3 million within the last six months, indicating that the e-crime group continues to operate despite several setbacks.

What’s more, Trellix’s analysis of LockBit’s geographic targeting from December 2024 to April 2025 based on the May 2025 admin panel leak has uncovered China to be one of the most heavily targeted countries by affiliates Iofikdis, PiotrBond, and JamesCraig. Other prominent targets include Taiwan, Brazil, and Turkey.

“The concentration of attacks in China suggests a significant focus on this market, possibly due to its large industrial base and manufacturing sector,” security researcher Jambul Tologonov said.

“Unlike Black Basta and Conti RaaS groups that occasionally probe Chinese targets without encrypting them, LockBit appears willing to operate within Chinese borders and disregard potential political consequences, marking an interesting divergence in their approach.”

The leak of the affiliate panel has also prompted LockBit to announce a monetary reward for verifiable information about “xoxo from Prague,” an anonymous actor who claimed responsibility for the leak.

On top of that, LockBit appears to have benefitted from the sudden discontinuation of RansomHub towards the end of March 2025, causing some of the latter’s affiliates, including BaleyBeach and GuillaumeAtkinson, to transition to LockBit and compel it to reactivate its operations amid ongoing efforts to develop the next version of the ransomware, LockBit 5.0.

“What this leak truly shows is the complex and ultimately less glamorous reality of their illicit ransomware activities. While profitable, it’s far from the perfectly orchestrated, massively lucrative operation they’d like the world to believe it is,” Tologonov concluded.