A massive web-based malware campaign was uncovered this month, in which nearly 270,000 legitimate websites were compromised by a unique and highly obfuscated JavaScript malware known as “JSFireTruck” (a nickname for the original, profane term “JSF*ck”). Between March 26 and April 25, 2025, telemetry from Palo Alto Networks detected 269,552 infected webpages. The campaign spiked sharply around April 12, 2025, with over 200,000 sites affected in just two weeks. This campaign represents one of the largest and most sophisticated JavaScript injection attacks seen in recent years.
The injected malicious JavaScript uses an esoteric obfuscation method called JSFireTruck, which relies on just six ASCII characters: []()+!$. This technique exploits JavaScript’s type coercion, allowing the creation of functional code using only these symbols. For example, combining brackets and plus signs can encode numbers and letters, making the code extremely difficult to analyze manually. The obfuscated code is often lengthy and unreadable, requiring specialized tools (such as “UnJSF-ck” deobfuscators) to decode.
Once injected into a website, the script checks the document.referrer property to determine if a visitor arrived via a search engine. If so, the script dynamically inserts an iframe that covers the entire browser window, redirecting the user to a malicious domain or payload (such as a ZIP file download, phishing site, or malware installer). The iframe’s CSS ensures it overlays all page content, enabling clickjacking, phishing, and other forms of user exploitation. The script may also extract and decode additional data from the URL hash, further customizing the payload or redirect.
