An ongoing campaign that infiltrates legitimate websites with malicious JavaScript injects to promote Chinese-language gambling platforms has ballooned to compromise approximately 150,000 sites to date.
“The threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor’s browser,” c/side security analyst Himanshu Anand said in a new analysis.
As of writing, there are over 135,800 sites containing the JavaScript payload, per statistics from PublicWWW.
As documented by the website security company last month, the campaign involves infecting websites with malicious JavaScript that’s designed to hijack the user’s browser window to redirect site visitors to pages promoting gambling platforms.
The redirections have been found to occur via JavaScript hosted on five different domains (e.g., “zuizhongyj[.]com”) that, in turn, serve the main payload responsible for performing the redirects.
c/side said it also observed another variant of the campaign that entails injecting scripts and iframe elements in HTML impersonating legitimate betting websites such as Bet365 by making use of official logos and branding.
The end goal is to serve a fullscreen overlay using CSS that causes the malicious gambling landing page to be displayed when visiting one of the infected sites in place of the actual web content.
“This attack demonstrates how threat actors constantly adapt, increasing their reach and using new layers of obfuscation,” Anand said. “Client-side attacks like these are on the rise, with more and more findings every day.”
The disclosure comes as GoDaddy revealed details of a long-running malware operation dubbed DollyWay World Domination that has compromised over 20,000 websites globally since 2016. As of February 2025, over 10,000 unique WordPress sites have fallen victim to the scheme.
“The current iteration […] primarily targets visitors of infected WordPress sites via injected redirect scripts that employ a distributed network of Traffic Direction System (TDS) nodes hosted on compromised websites,” security researcher Denis Sinegubko said.
“These scripts redirect site visitors to various scam pages through traffic broker networks associated with VexTrio, one of the largest known cybercriminal affiliate networks that leverages sophisticated DNS techniques, traffic distribution systems, and domain generation algorithms to deliver malware and scams across global networks.”
The attacks commence with injecting a dynamically generated script into the WordPress site, ultimately redirecting visitors to VexTrio or LosPollos links. The activity is also said to have used ad networks like PropellerAds to monetize traffic from compromised sites.
The malicious injections on the server-side are facilitated through PHP code inserted into active plugins, while also taking steps to disable security plugins, delete malicious admin users, and siphon legitimate admin credentials to meet their objectives.
GoDaddy has since revealed that the DollyWay TDS leverages a distributed network of compromised WordPress sites as TDS and command-and-control (C2) nodes, reaching 9-10 million monthly page impressions. Furthermore, the VexTrio redirect URLs have been found to be obtained from the LosPollos traffic broker network.
Around November 2024, DollyWay operators are said to have deleted several of their C2/TDS servers, with the TDS script obtaining the redirect URLs from a Telegram channel named trafficredirect.
“The disruption of DollyWay’s relationship with LosPollos marks a significant turning point in this long-running campaign,” Sinegubko noted. “While the operators have demonstrated remarkable adaptability by quickly transitioning to alternative traffic monetization methods, the rapid infrastructure changes and partial outages suggest some level of operational impact.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
The Hacker News
