Focus Mode
Threat Research

Government and university websites targeted in ScriptAPI[.]dev client-side attack – c/side

admin
Government and university websites targeted in ScriptAPI[.]dev client-side attack – c/side
A recent client-side JavaScript attack has been discovered, affecting over 500 websites, including government and university domains. The attack involves the injection of scripts that create hidden links to external sites, primarily for black hat SEO purposes. The malicious scripts are hosted on scriptapi[.]dev. Affected: government websites, university websites

Keypoints :

  • Over 500 websites targeted, including government and university domains.
  • Attack involves client-side JavaScript injection creating hidden links in the DOM.
  • Malicious scripts are hosted at scriptapi[.]dev.
  • Links are styled to be invisible to users using CSS properties.
  • Attack highlights risks associated with third-party scripts in web development.
  • Recommended mitigations include updating plugins and implementing Content Security Policies.

MITRE Techniques :

  • T1060 – Resource Hijacking: The attack injects scripts that manipulate the DOM to create hidden links.
  • T1071 – Application Layer Protocol: Utilizes external domains for malicious purposes via injected links.

Indicator of Compromise :

  • [domain] scriptapi[.]dev
  • [url] scriptapi[.]dev/api/smacr[.]js
  • [url] scriptapi[.]dev/api/en[.]tlu[.]js
  • [url] scriptapi[.]dev/api/sie[.]tlu[.]js
  • [url] scriptapi[.]dev/api/ppymca[.]js
  • Check the article for all found IoCs.

Full Research: https://cside.dev/blog/government-and-university-websites-targeted-in-scriptapi-dev-client-side-attack

Tags: MONITOR, BROWSER, GOVERNMENT, BACKDOOR, PROXY