Over 150K websites hit by full-page hijack linking to Chinese gambling sites

March 27, 2025, 10:22 p.m.

Description

In February, C/Side uncovered a threat actor targeting over 35,000 websites with a malicious full-page hijack injection. C/Side continued to monitor this actor’s activities and have identified new tactics and techniques. They’ve scaled up their operations significantly, as we now estimate that approximately 150,000 websites have been impacted by this campaign.

External References

https://cside.dev/blog/over-150k-websites-hit-by-full-page-hijack-linking-to-chinese-gambling-sites
https://otx.alienvault.com/pulse/67e5c8378b57d3110ca5478b
Tags
javascript
cyber
chinese
credit card skimmer
supply chain attack
magecart
2025-03-27
february
blog
c/side
client-side
web
development
client/side
cyber security
security
pci dss v4
browser attack
formjacking
website vulnerability scanner
data breaches
content security policies
tag manager
browser side script
javascript security
html entity
uiux changesthe
bet365
english
williamhill
id parameter
css position

Date

  • Created: March 27, 2025, 9:50 p.m.
  • Published: March 27, 2025, 9:50 p.m.
  • Modified: March 27, 2025, 10:22 p.m.

Indicators

  • www.wa38di.com
  • https://www.wa38di.com:7443/other/restrictionIp?name=access-caveat
  • https://t399229.com/
  • https://g977115.com/
  • https://lucky298.com/
  • https://b217102.cc/
  • https://888fff.zuizhongyj.com/jump.js
  • https://888fff.zuizhongyj.com/'
  • https://551007t.cc/
  • 888fff.zuizhongyj.com
  • t399229.com
  • lucky298.com
  • g977115.com
  • b217102.cc
  • 551007t.cc
Download all indicators here!

Attack Patterns

  • JavaScript
  • T1574
  • T1547
  • T1055
  • T1027