In January 2025, researchers from Juniper Threat Labs revealed a new technique used in phishing attacks. Attackers are utilizing invisible Unicode symbols to hide malicious code, making it nearly undetectable to both analysts and automated security systems.
This method involves replacing the binary values of ASCII characters with invisible Hangul characters (U+FFA0 and U+3164), allowing the malicious code to be inserted into legitimate scripts without raising suspicion. The hidden code is stored as a property of a JavaScript object and is decoded using JavaScript Proxy, which restores the original code when called.
Researchers observed that these attacks were highly targeted, utilizing private information about the victims and employing anti-layering techniques such as checking code execution delays and automatically shutting down when a debugger is detected. Additionally, a recursive wrapping of links through Postmark was used to conceal the final phishing URL.
This obfuscation method was initially disclosed by JavaScript developer Martin Kleppe in October 2024. Within a short span of less than three months, cybercriminals have begun actively using this technique, demonstrating how quickly new methods are adapted for real-world attacks.
Juniper Threat Labs has linked these attacks to the Tycoon 2FA phishing tool, previously used to compromise accounts protected by two-factor authentication. This suggests a high likelihood of the new method being adopted by a broader range of attackers.
The use of Unicode invisible symbols in this coercive technique poses a challenge for threat detection, as many code analyzers do not recognize these symbols as part of the code. Given the ease of implementing this method and its effectiveness in evading detection mechanisms, it is anticipated that this technique will become more widespread among cybercriminals.