JSFireTruck and HelloTDS: A New Web Attack Infrastructure Leveraging Legitimate Domains
270,000 websites compromised — you've likely visited one.
Cybercriminals have breached over 260,000 legitimate websites, injecting them with malicious JavaScript code disguised as harmless character strings. According to Palo Alto Networks experts, this widespread campaign began in late March and surged sharply in mid-April. Its primary goal is to redirect users to malicious resources via compromised web pages — especially when the visit originates from a search engine.
To conceal the true nature of the scripts, attackers use an unusual encoding technique called JSFuck — a method for writing complete JavaScript programs using only six characters: [, ], +, $, {, }. Palo Alto’s Unit 42 has proposed a more neutral name for the obfuscated code: JSFireTruck, hinting at its chaotic structure. This kind of obfuscation significantly complicates analysis and allows scripts to remain undetected for extended periods.
The injected code monitors the user’s referrer. If the visitor arrives from a search engine like Google, Bing, or DuckDuckGo, they are automatically redirected to external sites containing potentially harmful content. These destinations may include exploit kits, malware payloads, fake browser updates, or monetization schemes through malvertising.
The campaign peaked on April 12, with more than 50,000 compromised pages recorded in a single day. Over the course of a month, nearly 270,000 infected URLs were detected by Palo Alto Networks' telemetry systems.
Simultaneously, another dangerous campaign was observed — a new traffic distribution system (TDS) called HelloTDS, discovered by Gen Digital. This platform performs selective redirection based on the user’s IP address, geolocation, browser characteristics, and device type. HelloTDS first profiles the visitor and then decides whether to serve a fake CAPTCHA, tech support scam, fake browser update, or another trap.
If the user doesn't meet the target criteria, they’re redirected to a harmless page — a tactic that helps attackers evade detection. Streaming sites, file-sharing platforms, and ad networks were among the primary starting points for these attacks, often containing the malicious JavaScript payload.
Some attack chains culminated in the installation of PEAKLIGHT malware, also known as Emmenthal Loader. This loader is used to deploy spyware such as Lumma, which extracts data from browsers, including passwords and cryptocurrency wallets.
The HelloTDS infrastructure is supported by dynamically generated top-level domains such as .top, .shop, and .com, used to manage scripts and redirections. In addition to mimicking legitimate sites, these platforms include scripts capable of detecting VPNs, browser emulators, and research environments, allowing them to block security specialists and avoid exposure.
The scale, legitimate appearance, and sophisticated filtering techniques make the JSFireTruck and HelloTDS-based campaigns particularly dangerous — both for ordinary users and owners of compromised websites.
