Technology

Thousands of websites have now been hijacked by this devious, and growing, malicious scheme

March 28, 2025

Researchers find more than 150,000 compromised websites
The websites carried malware that overlaid them with malicious landing pages
Web admins are advised to audit their code

Security researchers c/side recently reported on a major website hijacking campaign, in which unnamed threat actors took over 35,000 websites and used them to redirect visitors to malicious pages and even serve them malware.

Now, a month later, the team has claimed the campaign has scaled even further, and now compromises a staggering 150,000 websites.

C/side believes the campaign is related to the Megalayer exploit, since it’s known for distributing Chinese-language malware, contains the same domain patterns, and the same obfuscation tactics.

Open redirects

While the method changed slightly, and now comes with a “slightly revamped interface”, the gist is still the same, as the attackers use iframe injections to display a full-screen overlay in the visitor’s browser.

The overlays show either impersonated legitimate betting websites, or outright fake gambling pages.

C/side did not detail who the attackers are, other than saying they could be linked to the Megalayer exploit.

The attackers are most likely Chinese, since they’re coming from regions where Mandarin is common, and since the final landing pages present gambling content under the Kaiyun brand.

They also did not discuss how the threat actors managed to compromise these tens of thousands of websites, but once the attackers gained access, they used it to inject a malicious script from a list of websites.

“Once the script loads, it fully hijacks the user’s browser window – often redirecting them to pages promoting a Chinese-language gambling (or casino) platform,” the researchers explained in the previous report.

To mitigate the risk of website takeover, c/side says web admins should audit their source code, block malicious domains, or use firewall rules for zuizhongjs[.]com, p11vt3[.]vip, and associated subdomains.

It would also be wise to keep an eye on logs for unexpected outgoing requests to these domains.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar