• Cyber Syrup
  • Posts
  • Malicious JavaScript Campaign Compromises Over 150,000 Websites to Promote Gambling Platforms

Malicious JavaScript Campaign Compromises Over 150,000 Websites to Promote Gambling Platforms

A large-scale, ongoing cyber campaign has compromised over 150,000 legitimate websites through the injection of malicious JavaScript

March 27, 2025

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Malicious JavaScript Campaign Compromises Over 150,000 Websites to Promote Gambling Platforms

A large-scale, ongoing cyber campaign has compromised over 150,000 legitimate websites through the injection of malicious JavaScript. The attack is designed to redirect site visitors to Chinese-language gambling platforms, using browser-based overlays and impersonation techniques to deceive users.

How the Attack Works: JavaScript Injection and Redirection

The campaign was analyzed by c/side security researcher Himanshu Anand, who noted that attackers are injecting JavaScript into websites to hijack user sessions and redirect traffic to gambling-related domains. These scripts, once embedded, use iframe-based overlays to display full-screen fake content, effectively disguising the legitimate website beneath it.

“The threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor’s browser,” Anand said.

According to PublicWWW, over 135,800 websites currently contain the malicious JavaScript payload. The number has continued to rise, demonstrating the persistent and scalable nature of this attack.

Technical Details: Domains and Methods Used

The injection leads users to gambling pages via JavaScript hosted on five key domains, including:

  • zuizhongyj[.]com

  • (Four additional obfuscated domains not listed publicly for security reasons)

The redirection chain is facilitated by these intermediary domains, which serve as delivery points for the main payload. Once activated, the script constructs a full-screen CSS overlay that mimics legitimate gambling platforms, such as Bet365, by using official logos and branding materials.

The result is a spoofed gambling website, displayed on top of the original site content, giving users the illusion of a real platform. This social engineering tactic is designed to trick users into interacting with fake gambling interfaces.

Rising Trend in Client-Side Attacks

This campaign reflects a broader trend in client-side cyberattacks, where vulnerabilities or injections occur in the user’s browser session rather than on the server itself.

“This attack demonstrates how threat actors constantly adapt, increasing their reach and using new layers of obfuscation,” Anand added. “Client-side attacks like these are on the rise, with more and more findings every day.”

Related Campaign: GoDaddy Unveils DollyWay World Domination Operation

The disclosure comes amid another major revelation: GoDaddy has detailed a long-running malware campaign dubbed DollyWay World Domination, active since 2016. This server-side operation has affected over 20,000 websites worldwide, including more than 10,000 unique WordPress sites as of February 2025.

How DollyWay Works:

  1. Redirect Injection: Scripts are injected into compromised WordPress sites.

  2. TDS Redirection: The code connects users to a Traffic Direction System (TDS) that routes them to scam websites via traffic broker networks.

  3. Affiliation with VexTrio: These brokers are linked to VexTrio, a major cybercriminal affiliate network using DNS manipulation and domain generation algorithms (DGAs) for mass redirection.

Monetization Tactics:

  • Redirects are often routed through networks like LosPollos and PropellerAds, generating revenue for attackers.

  • PHP injections modify WordPress plugin code, often disabling security plugins and creating malicious admin users to maintain control.

Infrastructure and Operational Shifts

According to security researcher Denis Sinegubko, DollyWay's network generated 9–10 million page impressions per month via compromised TDS and command-and-control (C2) nodes. The attackers have shown remarkable adaptability, especially after operational disruptions in late 2024.

Notably:

  • Several TDS/C2 servers were shut down in November 2024.

  • The attackers transitioned to using a Telegram channel named trafficredirect to distribute redirect URLs.

“The disruption of DollyWay’s relationship with LosPollos marks a significant turning point,” Sinegubko noted. “While they quickly adopted new traffic monetization methods, the rapid infrastructure changes suggest some level of operational impact.”

Key Takeaways

  • Over 150,000 websites have been compromised by JavaScript-based client-side attacks promoting Chinese gambling sites.

  • The threat actors use obfuscation, impersonation, and CSS overlays to trick users into interacting with malicious content.

  • GoDaddy’s DollyWay campaign highlights the scale and complexity of server-side redirect and monetization attacks, linked to sophisticated affiliate networks like VexTrio.

  • Security researchers emphasize the need for better monitoring of website integrity, plugin security, and client-side behavior.