
The attack occurred in early January 2025 and was quite sophisticated. For instance, the attackers possessed personal nonpublic information about their victims and used phishing links wrapped recursively in Postmark tracking links to conceal the final destination.
The obfuscation technique used in this attack was first described in October 2024 by well-known JavaScript developer Martin Kleppe involved with the JSFuck project.
The encoding employs two different Unicode filler characters, the Hangul half-width (U+FFA0) and the Hangul full width (U+3164), to represent the binary values 0 and 1, respectively. In the payload, each group of 8 such characters forms a single byte, representing an ASCII character.
The obfuscated code is stored as a property in a JavaScript object, and since the Hangul filler characters are rendered as empty spaces, the payload is invisible. Such attacks are difficult to detect because empty spaces reduce the chance that security scanners notice the threat.

According to Juniper Threat Labs, the payload is executed with a short bootstrap code when the property is accessed through a Proxy get() trap: a Python function takes the Unicode string of Hangul filler characters and restores the original JavaScript code.
In addition, attackers employ other obfuscation techniques, including base64 encoding and anti-debugging, to evade analysis.

“The attacks were highly personalized, including non-public information, and the initial JavaScript would try to invoke a debugger breakpoint if it were being analyzed, detect a delay, and then abort the attack by redirecting to a benign website,” – Juniper Threat Labs.
Juniper Threat Labs reports that two domains used in this campaign were previously related to the Tycoon 2FA phishing kit. If so, the above-described obfuscation technique can quickly become commonly used by cybercriminals.

2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →