This security threat involves a targeted injection campaign that exploits third-party JavaScript on compromised websites to redirect mobile users to a Chinese adult-content scam delivered via Progressive Web Apps (PWAs). The attack specifically targets mobile devices by injecting a viewport meta tag and an ad overlay designed with click-hijacking capabilities. The malicious code is encrypted to evade detection and is embedded within websites masquerading as novel reading platforms, increasing the likelihood of user interaction. The attack flow begins with an initial loader script that activates only on mobile devices, ignoring desktop visits to avoid detection and maximize impact on mobile users. Once triggered, the payload script ensures the malicious content is rendered appropriately on mobile screens, creates a deceptive overlay with interactive elements, and upon user interaction, opens the scam PWA in a new browser tab. This approach leverages the PWA technology to increase user retention and bypass basic browser security protections, making it harder for users and automated defenses to block or detect the scam. The campaign uses techniques aligned with MITRE ATT&CK tactics such as user execution (T1204.001), phishing (T1606.002), and web service exploitation (T1608.004), combined with click-jacking (T1185) and UI redressing (T1189). Although no direct exploits or vulnerabilities in software versions are identified, the threat relies on compromising third-party JavaScript dependencies or supply chain elements to inject malicious code. The campaign is ongoing as of May 2025 and is notable for its focus on mobile platforms and use of encrypted payloads to evade detection.

For European organizations, this threat primarily impacts mobile users accessing compromised websites, particularly those related to digital reading or content platforms. The scam can lead to user deception, potential financial fraud, privacy violations, and reputational damage if users associate the organization with malicious activity. The use of PWAs allows the scam to persist on user devices, potentially leading to repeated fraudulent interactions or data harvesting. While the direct impact on enterprise infrastructure is limited, organizations with mobile user bases or those hosting third-party JavaScript dependencies are at risk of indirect exposure. This can result in increased support costs, loss of user trust, and potential regulatory scrutiny under GDPR if personal data is mishandled or if the scam leads to unauthorized data collection. Additionally, the campaign's evasion techniques complicate detection and mitigation, increasing the risk of prolonged exposure. The threat also highlights supply chain risks, as compromised third-party scripts can affect multiple organizations simultaneously. Given the focus on mobile devices, sectors with high mobile engagement such as media, publishing, and e-commerce in Europe are particularly vulnerable.

To mitigate this threat, European organizations should implement the following specific measures: 1) Conduct thorough audits of all third-party JavaScript dependencies and supply chain components to identify and remove or update any compromised scripts. 2) Employ Content Security Policy (CSP) headers with strict directives to restrict the loading of unauthorized scripts and prevent injection attacks. 3) Implement Subresource Integrity (SRI) checks on all third-party scripts to ensure their integrity and detect tampering. 4) Monitor mobile traffic patterns for unusual redirects or overlay behaviors indicative of click-hijacking or PWA injection. 5) Educate mobile users about the risks of interacting with unexpected overlays or redirects, emphasizing caution with novel reading platforms or unfamiliar PWAs. 6) Use mobile endpoint protection solutions capable of detecting malicious PWAs and overlay injections. 7) Collaborate with web hosting and CDN providers to ensure rapid response and remediation of compromised sites. 8) Regularly update and patch web application frameworks and libraries to reduce the attack surface. 9) Employ runtime application self-protection (RASP) technologies to detect and block injection attempts in real time. 10) Establish incident response procedures specifically addressing mobile-targeted web injection scams to minimize impact and recovery time.