In a widespread cyberattack, over 35,000 websites have been compromised by a malicious campaign that injects harmful scripts into their codebase.
The injected scripts redirect users to Chinese-language gambling platforms, primarily under the “Kaiyun” brand.
This attack leverages obfuscated JavaScript payloads to hijack user browsers, replacing legitimate website content with full-page redirects.
Technical Details of the Attack
The malicious campaign is executed through a one-line <script> tag embedded directly into the source code of affected websites.
These scripts reference domains such as zuizhongjs[.]com and other similar URLs.
Once loaded, the script dynamically injects additional payloads that manipulate the browser’s behavior.
The final payload includes device detection functions to tailor the attack for specific operating systems and introduces random delays to evade detection by automated security systems.
The primary script creates a full-screen hijack by injecting an HTML <div> and <iframe> element that completely overlays the original website content.
This iframe loads external pages that promote unlicensed gambling platforms in Mandarin, targeting users in regions where Mandarin is predominantly spoken.
The attackers also employ obfuscation techniques, such as string concatenation and Unicode escapes, to conceal their activities.
Several domains have been identified as sources of malicious scripts in this campaign:
mlbetjs[.]com(18,000+ infections)ptfafajs[.]com(9,000+ infections)zuizhongjs[.]com(4,800+ infections)jbwzzzjs[.]com(2,900+ infections)jpbkte[.]com(30+ infections)
These domains serve as distribution points for the malicious payloads and redirect users to fraudulent gambling sites.
In some cases, users are further redirected to secondary domains that facilitate phishing or fraudulent sign-up processes.
Possible Connection to Megalayer Exploit
According to the Report, Security researchers suggest that this campaign may be linked to the Megalayer exploit, a known vector for distributing Chinese-language malware.
Supporting evidence includes the use of Mandarin text, domain patterns associated with Chinese threat actors, and advanced obfuscation techniques.
The attackers appear to be leveraging vulnerabilities in website content management systems (CMS) or exploiting stolen credentials to inject their scripts.
Website owners are advised to take immediate action to prevent further exploitation:
- Audit Source Code: Check for unauthorized
<script>tags referencing suspicious domains likezuizhongjs[.]com. - Block Malicious Domains: Use DNS or firewall rules to block known IoCs.
- Implement Content Security Policies (CSP): Restrict script execution to trusted sources only.
- Conduct Regular Scans: Use tools like PublicWWW or URLScan to detect malicious injections at scale.
- Monitor File Integrity: Employ file integrity monitoring tools to identify unauthorized changes in core files.
This large-scale attack highlights the need for robust web security measures and proactive monitoring systems.
Security teams must remain vigilant as attackers continue to evolve their tactics and exploit vulnerabilities across global websites.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
