Mar 27, 2025Ravie LakshmananMalware / Website Security

A widespread campaign has compromised approximately 150,000 legitimate websites by injecting malicious JavaScript to promote Chinese-language gambling platforms.

According to c/side security analyst Himanshu Anand, the threat actor has revamped their interface and continues to rely on iframe injection to display a full-screen overlay in the visitor’s browser, as reported in a recent analysis.

Statistics from PublicWWW indicate that over 135,800 sites currently contain the JavaScript payload, which is used to hijack the user’s browser window and redirect site visitors to pages promoting gambling platforms.

As documented by the website security company last month, the campaign involves infecting websites with malicious JavaScript designed to hijack the user’s browser window and redirect site visitors to pages promoting Chinese-language gambling platforms.

The redirections occur via JavaScript hosted on five different domains, which serve the main payload responsible for performing the redirects.

c/side also observed another variant of the campaign that entails injecting scripts and iframe elements in HTML impersonating legitimate betting websites, such as Bet365, by using official logos and branding.

The ultimate goal is to serve a fullscreen overlay using CSS, causing the malicious gambling landing page to be displayed when visiting one of the infected sites in place of the actual web content.

“This attack demonstrates how threat actors constantly adapt, increasing their reach and using new layers of obfuscation,” Anand said. “Client-side attacks like these are on the rise, with more and more findings every day.”

The disclosure comes as GoDaddy revealed details of a long-running malware operation dubbed DollyWay World Domination, which has compromised over 20,000 websites globally since 2016, with over 10,000 unique WordPress sites falling victim to the scheme as of February 2025.