ClickCease JavaScript Malware: 50,000+ Bank Users at Risk Worldwide

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

JavaScript Malware: 50,000+ Bank Users at Risk Worldwide

Wajahat Raja

January 5, 2024 - TuxCare expert team

In a disconcerting revelation, a newly identified strain of JavaScript malware has set its sights on compromising online banking accounts, orchestrating a widespread campaign impacting over 40 financial institutions globally. This insidious activity, leveraging JavaScript web injections, has resulted in an estimated 50,000 infected user sessions across North America, South America, Europe, and Japan.

Detecting the JavaScript Malware

IBM Security Trusteer, a leading cybersecurity entity, detected this malicious campaign in March 2023. According to security researcher Tal Langus, the primary goal of the threat actors is to compromise popular banking applications. Once the
JavaScript malware infiltrates an online banking security system, it aims to intercept users’ credentials, subsequently gaining unauthorized access to and potentially exploiting their banking information.

Stealthy Attack Chains

The attack mechanism involves scripts loaded from a threat actor-controlled server, specifically identified as “jscdnpack[.]com” These scripts target a common page structure utilized by various banks, suggesting a meticulous approach. The delivery of the malware to potential victims may occur through phishing emails or malvertising, posing multifaceted
cybersecurity threats.

Dynamic Script Behavior

The malware employs obfuscated scripts to conceal its true purpose. When a victim visits a bank website, the login page undergoes alterations with malicious JavaScript. This script is adept at harvesting credentials and one-time passwords (OTPs) without raising suspicion. Importantly, the malware’s behavior is dynamic, continuously querying both the command-and-control (C2) server and the current page structure, adjusting its course based on acquired information.

Global Banking Cyber Threats

The server’s response dictates the malware’s subsequent actions, allowing it to erase traces of injections and introduce deceptive user interface elements. These elements may include prompts to accept OTPs, aiding threat actors in bypassing security measures. Additionally, the
banking malware may display error messages indicating temporary unavailability of online banking services for 12 hours, dissuading victims from logging in and providing a window for unauthorized account access.

Possible Origins and Advanced Capabilities

Although the exact origins of the malware remain unknown, indicators of compromise (IoCs) suggest a potential connection to the DanaBot family, a known stealer and loader. DanaBot has been previously associated with malicious ads on Google Search and has served as an initial access vector for ransomware attacks. The sophistication of this threat lies in its advanced capabilities, particularly in executing man-in-the-browser attacks through dynamic communication and adaptable web injection methods.

Financial Data Breach

malicious code attacks campaign unfolds against a backdrop of escalating financial frauds. Sophos recently exposed a scheme involving a fake liquidity mining service, netting threat actors nearly $2.9 million in cryptocurrency from 90 victims. The scheme, orchestrated by three separate threat activity groups, points to a broader network potentially affiliated with a single organized crime ring, possibly based in China.


According to Europol’s Internet Organized Crime Threat Assessment (IOCTA), investment fraud and business email compromise (BEC) fraud persist as the most prolific online fraud schemes. The agency highlights the concerning trend of combining investment fraud with other scams, such as romance scams, where criminals build trust with victims before convincing them to invest in fraudulent cryptocurrency platforms. Therefore, implementing strong cybersecurity measures for online transactions is crucial to safeguard sensitive information and protect against potential cyber threats.

Diversified Cyber Threats

Beyond financial institutions,
cyber threats continue to diversify. Group-IB, a cybersecurity company, reports the identification of 1,539 phishing websites impersonating postal operators and delivery companies since November 2023. This extensive campaign spans 53 countries, with Germany, Poland, Spain, the U.K., Turkey, and Singapore being the primary targets.

Evasive Tactics and Global Impact

cybercrime trends involve sending SMS messages mimicking reputable postal services, prompting users to visit counterfeit websites and divulge personal and payment details under the guise of urgent or failed deliveries. Notably, the operation employs various evasion methods, restricting access based on geographic locations and specific devices and operating systems. The scammers also minimize the lifespan of the phishing websites, enhancing their chances of remaining undetected.


As the landscape of
internet security risks evolves, placing emphasis on the implementation of proactive cybersecurity measures is paramount for organizations worldwide. In the face of sophisticated JavaScript malware campaigns and diversified cyber threats, malware prevention strategies and automated patching act as crucial components of safeguarding systems and ensuring business continuity. 


Stay compliant and minimize downtime now!

The sources for this piece include articles in The Hacker News and Bleeping Computer.

JavaScript Malware: 50,000+ Bank Users at Risk Worldwide
Article Name
JavaScript Malware: 50,000+ Bank Users at Risk Worldwide
Discover the latest threat - JavaScript malware targeting 50,000+ global bank users. Stay informed and safeguard your accounts.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter