More than 35,000 websites have been infiltrated by a significant cybersecurity incident, which introduced malicious scripts that take over users’ browser windows and reroute them to gambling sites in Chinese.
The final landing pages of the campaign, which was discovered on February 20, 2025, promote casino material under the “Kaiyun” name, suggesting that it targets areas where Mandarin is widely spoken.
According to c/side security researchers, attackers insert a straightforward one-line script tag into the source code of the compromised websites, which causes further malicious code to load.
An inserted script tag referencing domains like zuizhongjs[.]com, mlbetjs[.]com, ptfafajs[.]com, and others initiates the first infection.
After it loads, this first script generates a second script element to retrieve further malicious code from websites such as deski.fastcloudcdn[.]com.
The main payload is complex; in order to avoid automated security scanning tools, it uses device detection techniques and random delays ranging from 500 to 1000 milliseconds.
The total takeover of the browser window is the most alarming feature of this assault.
The malicious script, according to researchers at c/side, inserts code that creates a full-screen iframe, so substituting the attacker’s gaming platform for the original website content.
The code loads material from URLs such as “https://www.zuizhongjs[.]com/go/kaiyun1/ky.html” into a div element that fills the screen.
Infection Process
The attack uses several phases of code execution to function. The attackers employ JavaScript methods to identify the user’s device type once the initial script loads, figuring out if the user is on a mobile device or a particular operating system like iOS.
This enables the dangerous material to be delivered precisely. To customize the payload for particular devices, for example, the code has methods like isMobile() and getIosVersion().
The malicious information then fills the full screen thanks to a meta viewport tag created by the script, which prevents users from accessing the actual website.
The document code snippet is in charge of generating the fullscreen overlay. To place an iframe completely over the page, write statements that inject HTML and CSS.
Certain attack variations have been seen to utilize region-based filtering, displaying users various material according to their IP address. Some users have even seen an access-blocked message telling them to get in touch with purported support channels.
It’s possible that this advanced filtering system was created to lessen exposure to security researchers or to cut down on undesired traffic to malicious domains.
According to security experts, this effort could have something to do with the Megalayer exploit, which is well-known for spreading malware in Chinese.
It is recommended that website owners audit their source code for unauthorized script tags, use firewall rules to block malicious domains, conduct frequent site scans to find malicious injections, implement Content Security Policy restrictions, and regularly check for unauthorized file modifications.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
