In a significant cybersecurity breach, approximately 150,000 websites have been compromised, leading to full-page redirects to Chinese gambling platforms. This large-scale attack, which began in February 2025 targeting around 35,000 sites, has rapidly expanded, showcasing the increasing sophistication and operational scale of the threat actors involved.
Nature of the Attack
The attackers have inserted malicious code into the affected websites, creating full-screen overlays in visitors’ browsers. These overlays effectively replace legitimate website content with advertisements for gambling platforms. Notably, the injected content impersonates well-known betting platforms, such as Bet365, incorporating official logos to enhance credibility and increase conversion rates.
Targeted Regions and Users
Research indicates that the primary targets of this campaign are Chinese-speaking users located in China, Hong Kong, and the United States. Many of the malicious destinations selectively block traffic from specific regions, suggesting a strategic approach to targeting. The threat actors have employed multiple redirection URLs, including 551007t[.]cc, t399229[.]com, and W88in[.]com, among others.
Technical Details and Obfuscation Techniques
The infection chain relies on sophisticated obfuscation methods to evade detection by security tools. The injected script utilizes HTML entity encoding to mask its malicious nature. When decoded, this obfuscated script reveals its true functionality, which includes self-decryption mechanisms that ultimately inject a reference to an external JavaScript file.
The final payload contains advanced logic that checks for gambling-related keywords in the page title before creating a div element with CSS positioning, ensuring the overlay covers the entire viewport. It also enforces mobile-friendly viewing parameters through viewport tag manipulation to maximize effectiveness across all devices.
Implications and Recommendations
This campaign represents a significant threat to website integrity and user security. Website owners and administrators are urged to enhance monitoring and security practices to detect and mitigate such attacks promptly. Implementing robust security measures, conducting regular audits, and staying informed about emerging threats are crucial steps in safeguarding digital assets against such sophisticated cyberattacks.
