Phishing attack hides JavaScript using invisible Unicode trick
A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
Juniper Threat Labs that spotted the attack reports that it took place in early January 2025 and carries signs of sophistication such as the use of:
- Personalized non-public information to target victims,
- Debugger breakpoint and timing checks to evade detection,
- Recursively wrapped Postmark tracking links to obscure final phishing destinations.
JavaScript developer Martin Kleppe first disclosed the obfuscation technique in October 2024, and its quick adoption in actual attacks highlights how quickly new research becomes weaponized.
Making JS payloads "invisible"
The new obfuscation technique exploits invisible Unicode characters, specifically Hangul half-width (U+FFA0) and Hangul full-width (U+3164).
Each ASCII character in the JavaScript payload is converted into an 8-bit binary representation, and the binary values (ones and zeros) in it are replaced with invisible Hangul characters.
The obfuscated code is stored as a property in a JavaScript object, and since Hangul filler characters are rendered as blank space, the payload in the script looks empty, as shown by the blank space at the end of the image below.
A short bootstrap script retrieves the hidden payload using a JavaScript Proxy 'get() trap.' When the hidden property is accessed, the Proxy converts the invisible Hangul filler characters back into binary and reconstructs the original JavaScript code.
Juniper analysts report that the attackers use extra concealment steps in addition to the above, like encoding the script with base64 and using anti-debugging checks to evade analysis.
"The attacks were highly personalized, including non-public information, and the initial JavaScript would try to invoke a debugger breakpoint if it were being analyzed, detect a delay, and then abort the attack by redirecting to a benign website," explains Juniper.
The attacks are tough to detect as empty whitespace reduces the likelihood that even security scanners will flag it as malicious.
Since the payload is just a property in an object, it could be injected into legitimate scripts without raising suspicion; plus, the whole encoding process is easy to implement and doesn't require advanced knowledge.
Juniper says two of the domains used in this campaign were previously linked to the Tycoon 2FA phishing kit.
If so, we will likely see this invisible obfuscation method adopted by a broader range of attackers in the future.
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
HighLDAP Injection
HighPath Traversal
LowStrict-Transport-Security Multiple Header Entries (Non-compliant with Spec)
Medium.env Information Leak
InformationalBase64 Disclosure in WebSocket message
InformationalCSP: Header & Meta
InformationalInformation Disclosure - Suspicious Comments
MediumVulnerable JS Library
Free online web security scanner
