A large-scale cyberattack has compromised approximately 150,000 legitimate websites by injecting malicious JavaScript to redirect visitors to Chinese-language gambling platforms.
The campaign, first detected in February 2025 with 35,000 infected sites, has since expanded significantly, leveraging obfuscated scripts and iframe injections to hijack browsers.
Attackers use domains like zuizhongyj[.]com to host payloads, which display full-screen overlays mimicking legitimate betting sites such as Bet365.
Technical Tactics
The threat actors employ HTML entity encoding and hexadecimal obfuscation to hide malicious scripts, such as injecting <script> tags disguised as benign code.
Decoded scripts reveal redirects to gambling domains like 551007t[.]cc and W88in[.]com, targeting Chinese-speaking users in China, Hong Kong, and the U.S.
The payloads enforce mobile-friendly viewports and use keyword detection (e.g., “bet365” or “太阳城”) to tailor redirects.
Broader Implications
According to the Report, this campaign mirrors other malicious operations, including GoDaddy’s disclosure of the DollyWay World Domination malware, which compromised 20,000 sites since 2016.
Experts warn of rising client-side attacks, urging website owners to audit scripts, monitor for unauthorized iframes, and implement strict Content Security Policies (CSPs).
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
