Friday, May 9, 2025
HomeBrowserOver 35,000 Websites Hacked to Inject Malicious Scripts Redirecting Users to Chinese...

Over 35,000 Websites Hacked to Inject Malicious Scripts Redirecting Users to Chinese Websites

Published on

SIEM as a Service

Follow Us on Google News

In a widespread cyberattack, over 35,000 websites have been compromised by a malicious campaign that injects harmful scripts into their codebase.

The injected scripts redirect users to Chinese-language gambling platforms, primarily under the “Kaiyun” brand.

This attack leverages obfuscated JavaScript payloads to hijack user browsers, replacing legitimate website content with full-page redirects.

- Advertisement - Google News

Technical Details of the Attack

The malicious campaign is executed through a one-line <script> tag embedded directly into the source code of affected websites.

These scripts reference domains such as zuizhongjs[.]com and other similar URLs.

Once loaded, the script dynamically injects additional payloads that manipulate the browser’s behavior.

The final payload includes device detection functions to tailor the attack for specific operating systems and introduces random delays to evade detection by automated security systems.

The primary script creates a full-screen hijack by injecting an HTML <div> and <iframe> element that completely overlays the original website content.

This iframe loads external pages that promote unlicensed gambling platforms in Mandarin, targeting users in regions where Mandarin is predominantly spoken.

The attackers also employ obfuscation techniques, such as string concatenation and Unicode escapes, to conceal their activities.

Several domains have been identified as sources of malicious scripts in this campaign:

  • mlbetjs[.]com (18,000+ infections)
  • ptfafajs[.]com (9,000+ infections)
  • zuizhongjs[.]com (4,800+ infections)
  • jbwzzzjs[.]com (2,900+ infections)
  • jpbkte[.]com (30+ infections)

These domains serve as distribution points for the malicious payloads and redirect users to fraudulent gambling sites.

In some cases, users are further redirected to secondary domains that facilitate phishing or fraudulent sign-up processes.

Possible Connection to Megalayer Exploit

According to the Report, Security researchers suggest that this campaign may be linked to the Megalayer exploit, a known vector for distributing Chinese-language malware.

Supporting evidence includes the use of Mandarin text, domain patterns associated with Chinese threat actors, and advanced obfuscation techniques.

The attackers appear to be leveraging vulnerabilities in website content management systems (CMS) or exploiting stolen credentials to inject their scripts.

Website owners are advised to take immediate action to prevent further exploitation:

  1. Audit Source Code: Check for unauthorized <script> tags referencing suspicious domains like zuizhongjs[.]com.
  2. Block Malicious Domains: Use DNS or firewall rules to block known IoCs.
  3. Implement Content Security Policies (CSP): Restrict script execution to trusted sources only.
  4. Conduct Regular Scans: Use tools like PublicWWW or URLScan to detect malicious injections at scale.
  5. Monitor File Integrity: Employ file integrity monitoring tools to identify unauthorized changes in core files.

This large-scale attack highlights the need for robust web security measures and proactive monitoring systems.

Security teams must remain vigilant as attackers continue to evolve their tactics and exploit vulnerabilities across global websites.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Chinese Hackers Exploit SAP RCE Vulnerability to Deploy Supershell Backdoors

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual...

Hackers Target IT Admins by Poisoning SEO to Push Malware to Top Search Results

Cybercriminals are increasingly targeting IT administrators through sophisticated Search Engine Optimization (SEO) poisoning techniques. By...

New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona,...

Malicious Python Package Impersonates Discord Developers to Deploy Remote Commands

A seemingly innocuous Python package named ‘discordpydebug’ surfaced on the Python Package Index (PyPI)...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Chinese Hackers Exploit SAP RCE Vulnerability to Deploy Supershell Backdoors

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual...

Hackers Target IT Admins by Poisoning SEO to Push Malware to Top Search Results

Cybercriminals are increasingly targeting IT administrators through sophisticated Search Engine Optimization (SEO) poisoning techniques. By...

New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona,...