Summary:
A widespread and persistent cyber campaign compromised around 150,000 legitimate websites by injecting malicious JavaScript to redirect users to Chinese-language gambling platforms. According to c/side security analyst Himanshu Anand, the threat actor continues to rely on iframe injections to deliver fullscreen overlays in victims’ browsers. These overlays disguise themselves as legitimate betting sites, such as Bet365, using real branding and logos to enhance credibility. The goal is to hijack the user’s browsing session and display fraudulent gambling landing pages in place of the original website content. PublicWWW data shows over 135,800 infected sites currently host the JavaScript payload. The malicious code is distributed via JavaScript hosted on at least five primary domains, which serve the main redirection scripts.

This client-side campaign illustrates the evolving nature of browser-based attacks, where threat actors increasingly use obfuscation and deception to expand their reach and bypass detection. A variant of the campaign has also been observed injecting malicious iframe and script elements that simulate legitimate gambling platforms, often luring users into clicking and interacting with scam interfaces. The attack reflects a broader rise in web-based exploitation, where attackers weaponize trusted sites to serve malicious content directly to unsuspecting visitors.

Security Officer Comments:
At the same time, a separate malware operation named DollyWay World Domination, recently disclosed by GoDaddy, has been active since at least 2016 and has infected more than 20,000 websites worldwide, over 10,000 of which are unique WordPress installations. This operation centers on injecting dynamically generated redirect scripts into WordPress sites, primarily via compromised plugins. These scripts form a distributed Traffic Direction System (TDS) using the infected sites as both traffic brokers and command-and-control nodes. The system redirects visitors to malicious pages using networks like VexTrio and LosPollos, both of which are linked to large-scale cybercriminal affiliate networks known for distributing malware and scams globally. Security researcher Denis Sinegubko noted that DollyWay leverages advanced infrastructure, including DNS trickery, domain generation algorithms, and monetization via ad networks like PropellerAds. The attackers also disable WordPress security plugins, delete competing malware, and harvest legitimate admin credentials to retain access. DollyWay’s TDS has reportedly achieved 9–10 million page impressions monthly, demonstrating the scale and profitability of such operations.

Around November 2024, operators of the DollyWay campaign began dismantling parts of their infrastructure, deleting several C2/TDS servers. In response, they adapted by sourcing redirect URLs from a Telegram channel named trafficredirect, showcasing their ability to rapidly pivot and maintain campaign momentum despite setbacks. Analysts believe the breakdown of DollyWay’s relationship with LosPollos represents a significant shift, potentially undermining the campaign’s effectiveness—but the swift infrastructure changes and alternative monetization strategies indicate the threat remains active and adaptable.


Suggested Corrections:
If you suspect your site might be impacted, review all scripts for hidden HTML entity encoding or suspicious <iframe> injections. As always, ongoing vigilance and regular site auditing remain your best defenses against attacks like these.

Link(s):
https://thehackernews.com/2025/03/150000-sites-compromised-by-javascript.html