
The attack occurred in early January 2025 and was quite sophisticated. For instance, the attackers possessed personal nonpublic information about their victims and used phishing links wrapped recursively in Postmark tracking links to conceal the final destination.
The obfuscation technique used in this attack was first described in October 2024 by well-known JavaScript developer Martin Kleppe involved with the JSFuck project.
The encoding employs two different Unicode filler characters, the Hangul half-width (U+FFA0) and the Hangul full width (U+3164), to represent the binary values 0 and 1, respectively. In the payload, each group of 8 such characters forms a single byte, representing an ASCII character.
The obfuscated code is stored as a property in a JavaScript object, and since the Hangul filler characters are rendered as empty spaces, the payload is invisible. Such attacks are difficult to detect because empty spaces reduce the chance that security scanners notice the threat.

According to Juniper Threat Labs, the payload is executed with a short bootstrap code when the property is accessed through a Proxy get() trap: a Python function takes the Unicode string of Hangul filler characters and restores the original JavaScript code.
In addition, attackers employ other obfuscation techniques, including base64 encoding and anti-debugging, to evade analysis.

“The attacks were highly personalized, including non-public information, and the initial JavaScript would try to invoke a debugger breakpoint if it were being analyzed, detect a delay, and then abort the attack by redirecting to a benign website,” – Juniper Threat Labs.
Juniper Threat Labs reports that two domains used in this campaign were previously related to the Tycoon 2FA phishing kit. If so, the above-described obfuscation technique can quickly become commonly used by cybercriminals.

2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →