Full-screen overlays turn legitimate platforms into gambling mirages.
A malicious campaign involving the injection of JavaScript code into legitimate websites—aimed at promoting Chinese gambling platforms—has reached an unprecedented scale. According to PublicWWW, as of this writing, the malicious script has been detected on over 135,000 websites, while analysis by c/side experts indicates that the scheme continues with only minor interface changes.
The essence of the attack lies in embedding an iframe element that displays a full-screen overlay in the victim’s browser. This allows attackers to replace the legitimate content of a site with a fake page promoting gambling platforms tailored to a Chinese audience. The JavaScript responsible for the redirect is hosted on several domains, including “zuizhongyj[.]com,” from which the main malicious component is loaded.
In some cases, the malicious code mimics legitimate pages of well-known bookmakers like Bet365, using official logos and visual styles. As a result, users may not immediately realize they’re on a fake page. The overlay, implemented using CSS, looks like an original interface and completely covers the content of the compromised site.
Analysts emphasize that such client-side attacks are becoming increasingly popular, especially amid a growing number of findings and new variants of malicious behavior. The adaptability of attackers and the use of additional layers of code obfuscation hinder timely detection and neutralization of threats.
Amid these developments, GoDaddy disclosed details about the large-scale DollyWay World Domination operation, ongoing since 2016. Over 20,000 websites have been compromised, with more than 10,000 unique WordPress resources attacked in recent months alone. JavaScript redirects embedded via a TDS (Traffic Direction System) network spread across previously hacked websites serve as the infection vector.
Researchers have linked this scheme to the major cybercriminal affiliate network VexTrio, which uses DNS obfuscation, domain generation, and a complex traffic management system. In addition to page spoofing, the scheme includes disabling security plugins, deleting legitimate administrators, and stealing their credentials for further site control.
Scripts injected into the PHP code of active WordPress plugins automatically download redirect instructions from the Telegram channel trafficredirect. After breaking ties with the LosPollos network in November 2024, the DollyWay operators began actively restructuring their infrastructure, which researchers believe indicates partial logistical disruption and decreased effectiveness.
However, despite technical setbacks and temporary outages, the attackers quickly adapted, switching to alternative monetization schemes. Currently, the DollyWay infrastructure still generates up to 10 million page views per month, using compromised sites as C2 nodes and elements of a traffic redirection network.
The key risk remains that many of the infected sites continue operating without updates or security checks, leaving them vulnerable. Given the widespread use of WordPress and the openness of the plugin ecosystem, the potential scale of the attack is only expected to grow.
More info: https://www.securitylab.ru/news/557811.php
