Researchers uncovered a large-scale malvertising campaign, active primarily between March 26 and April 25, 2025, during which over 269,000 legitimate websites were compromised with highly obfuscated JavaScript code dubbed “JSFireTruck” (a euphemism for JSF*ck). Using only six characters—[ ] ( ) ! +—the attackers leveraged JavaScript’s type coercion to dynamically construct fully functional payloads that redirect users coming from search engines (like Google, Bing, DuckDuckGo, Yahoo, AOL) to malicious destinations. These include drive-by downloads, exploit kits, phishing pages, hidden iframe realms, and traffic monetization schemes. The campaign generated a dramatic spike in infections around April 12, 2025, with over 50,000 infected pages detected in a single day.
Analysis of the injected code revealed multiple obfuscation layers: JSFireTruck encoded payloads using type coercion, followed by further encoding routines using String.fromCharCode and array lookups (via an array variable like $) to reassemble the malicious instructions. While the use of only six symbols makes analysis challenging, it also produces extremely long code that is nevertheless easy for defenders to detect.