JSFireTruck Attack: 260,000+ Websites Compromised, Redirecting Users to Malware via Obscured JavaScript
Do Son 
Cybercriminals have compromised over 260,000 legitimate websites, embedding malicious JavaScript code disguised as an innocuous string of characters. This widespread campaign, uncovered by Palo Alto Networks experts, began in late March and escalated dramatically in mid-April. Its primary objective is to redirect users to harmful domains via infected web pages—particularly when visitors arrive through search engines.
To obscure the code’s true purpose, attackers employ a peculiar obfuscation technique known as JSFuck—a method that enables full JavaScript programs to be written using only six characters: [, ], +, $, {, and }. Unit 42 researchers have humorously dubbed the variant “JSFireTruck,” a softer moniker that hints at its chaotic nature. This level of obfuscation severely hinders detection and allows malicious scripts to persist undetected for extended periods.
The injected code monitors the user’s referrer. If the visitor originates from a search engine like Google, Bing, or DuckDuckGo, they are silently redirected to an external site containing potentially hazardous content. These sites may host browser exploits, malware, counterfeit updates, or participate in monetization schemes and malvertising operations.
The campaign reached its peak on April 12, with over 50,000 infected pages identified in a single day. In total, nearly 270,000 compromised URLs were logged by Palo Alto Networks’ telemetry systems over the course of a month.
Simultaneously, researchers at Gen Digital uncovered another alarming threat—a sophisticated traffic distribution system (TDS) dubbed HelloTDS. This malicious platform selectively redirects users based on their IP address, geographic location, browser fingerprint, and device characteristics. Before serving a payload, HelloTDS analyzes the visitor and then decides whether to display a fake CAPTCHA, a fraudulent tech support alert, a deceptive browser update prompt, or another carefully crafted trap.
Users who do not match the targeted profile are redirected to innocuous destinations—a tactic designed to evade detection by security tools. Attackers frequently launched these campaigns from streaming portals, file-sharing platforms, and ad networks hosting the initial malicious JavaScript payload.
Some attack chains ultimately led to the deployment of PEAKLIGHT, also known as Emmental Loader—a malware loader designed to deliver spyware such as Lumma. These strains exfiltrate browser data, harvest credentials, and siphon cryptocurrency wallets.
The infrastructure supporting HelloTDS relies on dynamically generated top-level domains such as .top, .shop, and .com, which facilitate command-and-control operations and traffic routing. In addition to masquerading as legitimate services, these platforms are equipped with advanced scripts capable of detecting VPNs, browser emulators, and analysis sandboxes—effectively barring cybersecurity professionals from uncovering their inner workings.
The sheer scale of the operation, its ability to impersonate trusted websites, and the use of refined filtering mechanisms render the JSFireTruck and HelloTDS campaigns exceptionally dangerous—for both unsuspecting users and administrators of compromised platforms.
Donate