A novel JavaScript obfuscation technique leveraging invisible Unicode characters is being misused in phishing campaigns targeting affiliates of a U.S. political action committee (PAC). This method, identified by Juniper Threat Labs, was first observed in early January 2025 and showcases advanced tactics such as personalized targeting and evasion techniques.

Advanced Obfuscation Techniques

The obfuscation method involves using invisible Unicode characters to encode binary values within JavaScript payloads. Specifically, Hangul half-width (U+FFA0) and Hangul full-width (U+3164) characters are employed to represent binary data, making the malicious code appear as empty space.

Mechanism of Obfuscation

Each ASCII character in the JavaScript is transformed into an 8-bit binary format. The binary digits are then substituted with invisible Hangul characters. This obfuscated code is stored as a property in a JavaScript object, rendering it visually blank.

  • Payload Retrieval: A bootstrap script uses a JavaScript Proxy 'get() trap' to access the hidden payload, converting the invisible characters back to binary to reconstruct the original code.
  • Additional Concealment: Attackers further obscure the script with base64 encoding and anti-debugging measures to avoid detection.

Challenges in Detection

The use of invisible whitespace makes these attacks difficult to identify, as even security scanners may not flag them as malicious. The payload, being a property within an object, can be seamlessly integrated into legitimate scripts without raising alarms.

Potential for Wider Adoption

Juniper Threat Labs notes that domains associated with this campaign have ties to the Tycoon 2FA phishing kit. This suggests the possibility of broader adoption of this obfuscation method by other threat actors in the future.

The link has been copied!