Phishing attack hides JavaScript using invisible Unicode trick

A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC). Juniper Threat Labs that spotted the attack reports that it took place in early January 2025 and carries signs of sophistication such as the use of: Personalized non-public information to target victims, Debugger breakpoint and timing checks to evade detection, Recursively wrapped Postmark tracking links to obscure final phishing destinations. JavaScript developer Martin Kleppe first disclosed the obfuscation technique in October 2024, and its quick adoption in actual attacks highlights how quickly new research becomes weaponized. Making JS payloads "invisible" The new obfuscation technique exploits invisible Unicode characters, specifically Hangul half-width (U+FFA0) and Hangul full-width (U+3164). Each ASCII character in the JavaScript payload is converted into a ... Read full article.