JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique

    Friday, June 13, 2025 In: Threat Research Print

    Date: 06/13/2025

    Severity: High

    Summary

    We recently uncovered a widespread campaign in which threat actors compromise legitimate websites by injecting heavily obfuscated JavaScript code. These scripts silently redirect visitors to malicious pages delivering malware, exploits, or spam. The attackers use an obfuscation method known as JSF*ck (term redacted for profanity). Throughout this article, we refer to it using the nickname "JSFireTruck."

    Indicators of Compromise (IOC) List

    Hash : 

    03ba72c2b7b0e2a9c459b95646b4301840ae66b87de47d1117a44e2d2d3e3584

    044cb5f61172adb60a8bca0a7addadb6bb69107a4916057338c6578aa846b057

    0f7903f7822c6a958d94db1b5fe83a5032eaf40ef3439c9d7bf8beec66971615

    1476e45493ac53a8ee99fae8c3ac6b80ba724de0bba4c995f9d4c506c2f38165

    17e9650f044dda1c48854e460a3cd9fe092ddc11c2e8631fed9ec293b1df2a6a

    1fdc283f40e64818fc5dace2a7416d1d7bd1e494e28f759ac600958f55d25dfb

    2053fc3b075a4661ffead5a5aebcf32a4e6fcff3c67519da7e7b0ca887e27c67

    21b1ff38713db80d78393b28e345de9dac97e3a69242de849555a0b6c9beee45

    2c452a201153e0c6c9aa2f53496d9fb43accb1a6939fe1dad8b9941fdedd0002

    3378883ded7d58334d375584e3b1e8a78f6db1e4f024bb2b8fd7b2b44a5233d2

    34c427d2e8b83877cae2a6b7c9afddf2c58efef203e44f01aaca115d99cb9e37

    4a90e10d497d35306bbe2db4f7d35beb0aac3468f46cef497a8438f89e63b8b7

    4e96d39e316fe179dff7e23c7817f0333aac6f19733a93ec4a6d6ec0c5c3ce65

    6105f6bb9b3f11babc219aab72d5c0cfb61feb1c0d9da06835c66ce3b180f97a

    6f545f17b2111f84aea5319e8425d1219c4202c2bf634013af2dec9f358a7625

    76578de2041f34b550a963f286827e75112ee608314611df9bc1fdb195b8838d

    7d840b55806e1b6e733d416cffa472978f8ff574b3d87131a40d99447189ed52

    9aa62bcc51798458e79f36b5812cd0ba2b62f4388d4f36f04708880601fb37ec

    9e42e7df0921b694be99c50db3bbd25ed6cf8a21ba3a4f2c0c56623e8e0db570

    ae99713386f4497131473d901f006548fde88e9f78cadfad720e5a1c7850586a

    dc58b2cec0319310ec07546a8c9cf643f31d7eecdcf4937817d06a051b80c212

    dedeb23e38f775ed45196c506c1cc4e8b64ca88204209d63a075c98a47c20cb8

    e48fab88fe3a144e2bd21d73e343391fd5cf642ed52827c7f663e33776437f60

    e924c0b5261d298fec104880cc1274abd9d8ceff123974ee44e57bbf7bdc9985

    ed1d05c988981fd0ddbf4ef634849436c99ad09c3f891189652aa97a2f66f9c3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Hash : 

    sha256hash IN ("7d840b55806e1b6e733d416cffa472978f8ff574b3d87131a40d99447189ed52","2053fc3b075a4661ffead5a5aebcf32a4e6fcff3c67519da7e7b0ca887e27c67","34c427d2e8b83877cae2a6b7c9afddf2c58efef203e44f01aaca115d99cb9e37","3378883ded7d58334d375584e3b1e8a78f6db1e4f024bb2b8fd7b2b44a5233d2","9e42e7df0921b694be99c50db3bbd25ed6cf8a21ba3a4f2c0c56623e8e0db570","17e9650f044dda1c48854e460a3cd9fe092ddc11c2e8631fed9ec293b1df2a6a","03ba72c2b7b0e2a9c459b95646b4301840ae66b87de47d1117a44e2d2d3e3584","4e96d39e316fe179dff7e23c7817f0333aac6f19733a93ec4a6d6ec0c5c3ce65","dc58b2cec0319310ec07546a8c9cf643f31d7eecdcf4937817d06a051b80c212","0f7903f7822c6a958d94db1b5fe83a5032eaf40ef3439c9d7bf8beec66971615","e924c0b5261d298fec104880cc1274abd9d8ceff123974ee44e57bbf7bdc9985","1fdc283f40e64818fc5dace2a7416d1d7bd1e494e28f759ac600958f55d25dfb","e48fab88fe3a144e2bd21d73e343391fd5cf642ed52827c7f663e33776437f60","dedeb23e38f775ed45196c506c1cc4e8b64ca88204209d63a075c98a47c20cb8","044cb5f61172adb60a8bca0a7addadb6bb69107a4916057338c6578aa846b057","9aa62bcc51798458e79f36b5812cd0ba2b62f4388d4f36f04708880601fb37ec","76578de2041f34b550a963f286827e75112ee608314611df9bc1fdb195b8838d","1476e45493ac53a8ee99fae8c3ac6b80ba724de0bba4c995f9d4c506c2f38165","4a90e10d497d35306bbe2db4f7d35beb0aac3468f46cef497a8438f89e63b8b7","21b1ff38713db80d78393b28e345de9dac97e3a69242de849555a0b6c9beee45","2c452a201153e0c6c9aa2f53496d9fb43accb1a6939fe1dad8b9941fdedd0002","6105f6bb9b3f11babc219aab72d5c0cfb61feb1c0d9da06835c66ce3b180f97a","6f545f17b2111f84aea5319e8425d1219c4202c2bf634013af2dec9f358a7625","ae99713386f4497131473d901f006548fde88e9f78cadfad720e5a1c7850586a","ed1d05c988981fd0ddbf4ef634849436c99ad09c3f891189652aa97a2f66f9c3")

    Reference: 

    https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-as-obfuscation/


    Tags

    Threat ActorJSFireTruck

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.