Cybercriminals Use Invisible Unicode to Mask JavaScript in Phishing Attacks

A new JavaScript obfuscation technique leveraging invisible Unicode characters to represent binary values is actively being used in phishing attacks. This novel method, first disclosed in October 2024, has been quickly adopted by threat actors targeting affiliates of an American political action committee (PAC).

Discovery of the Attack

Juniper Threat Labs, which identified the campaign in early January 2025, described the attack as highly sophisticated. It included several advanced techniques such as:

• Personalized non-public information to target victims
• Debugger breakpoint and timing checks to evade detection
• Recursively wrapped Postmark tracking links to obscure final phishing destinations
• The use of these tactics suggests a well-planned and deliberate cyber threat campaign aimed at compromising victims’ security without raising immediate suspicion.

Making JavaScript Payloads "Invisible"

The newly discovered obfuscation method exploits invisible Unicode characters, specifically Hangul half-width (U+FFA0) and Hangul full-width (U+3164).

Each ASCII character in the malicious JavaScript payload is converted into an 8-bit binary representation. Then, the binary values (ones and zeros) are replaced with these invisible Hangul characters. Because these characters render as blank spaces, the final script appears empty to the naked eye.

The obfuscated JavaScript payload is stored as a property within a JavaScript object, making the script look like it contains no data. A short bootstrap script is then used to retrieve the hidden payload. This script utilizes a JavaScript Proxy 'get() trap' to detect when the hidden property is accessed. The Proxy then converts the invisible Hangul characters back into binary and reconstructs the original JavaScript code.

Evasion Techniques

Juniper analysts report that the attackers deployed additional techniques to obscure their malicious activity:

Encoding the script with base64 to add another layer of concealment

Using debugger breakpoint detection to prevent security researchers from analyzing the attack

Implementing timing checks to detect delays, allowing the malware to abort execution if it senses it is running in a controlled environment

The use of whitespace to conceal malicious code presents a significant challenge for security scanners. Since the payload is simply stored as an object property, it can be injected into legitimate scripts without drawing attention. This makes detection difficult even for advanced security tools.

Base64 Encoding for Additional Concealment

To further evade detection, the attackers encode sequences of Hangul filler characters in base64. This additional layer of encoding helps mask the true nature of the script and makes it even harder for security analysts to interpret.

Connection to Tycoon 2FA Phishing Kit

Juniper Threat Labs also identified links between this campaign and the Tycoon 2FA phishing kit. Two of the domains used in the current attack were previously associated with Tycoon 2FA, suggesting that this group may be experimenting with new obfuscation techniques to enhance their phishing campaigns.

Given the effectiveness of this invisible Unicode trick, it is likely that a broader range of cybercriminals will soon adopt it for more phishing attacks. The ability to hide malicious payloads in what appears to be empty whitespace significantly increases the difficulty of detection, making it a potent tool for cyber attackers.

Broader Implications and Future Risks

The rapid adoption of this obfuscation method demonstrates how quickly cybercriminals can weaponize new research findings. Security experts warn that this technique could be integrated into various attack vectors beyond phishing, including malware distribution and supply chain attacks.

Organizations and cybersecurity professionals must stay vigilant, updating their detection methods to counter this emerging threat. Implementing stricter JavaScript analysis policies, improving behavior-based detection, and leveraging AI-driven security solutions may be necessary to combat increasingly sophisticated obfuscation techniques.

Conclusion

The use of invisible Unicode characters for JavaScript obfuscation marks a dangerous evolution in phishing tactics. By leveraging Hangul filler characters, attackers can effectively disguise malicious code within seemingly blank scripts, making detection significantly harder.

As cybercriminals continue to refine their methods, organizations must proactively enhance their security measures. With ongoing developments in threat intelligence and defensive techniques, the fight against phishing attacks remains an ever-evolving challenge in cybersecurity.