A new campaign of browser-based malware has emerged, revealing how hackers are now circumventing conventional antivirus protections by exploiting trusted domains like Google.com.
This technique, according to a report by security researchers at c/side, is subtle, conditionally triggered, and challenging for users and traditional security software to detect.
It appears to originate from a legitimate OAuth-related URL, but it actually runs a malicious payload with full access to the user's browser session.
Malware hides in plain sight
The assault starts with a script installed in a hijacked Magento-based ecommerce site that points to a seemingly harmless Google OAuth logout URL: https://accounts.google.com/o/oauth2/revoke.
However, a manipulated callback parameter in this URL uses eval(atob(...)) to decode and execute an obfuscated JavaScript payload. The usage of Google's domain is essential to the scam because most content security policies (CSPs) and DNS filters don't dispute the script's legitimacy because it loads from a reliable source.
This script only activates under certain situations. If the browser looks to be automated or the URL contains the word "checkout," it silently establishes a WebSocket connection to a malicious server. This means it can modify destructive behaviour to specific user actions.
Any payload transmitted via this channel is base64-encoded, decoded, and dynamically executed with JavaScript's Function constructor. This arrangement allows the attacker to remotely execute code in the browser in real time. One of the most important aspects determining this attack's effectiveness is its ability to elude many of the best antivirus solutions currently available.
Even the best Android antivirus apps and static malware scanners are unlikely to identify the script because its logic is deeply obfuscated and only activates under specific conditions. They won't analyse, mark, or prevent JavaScript payloads sent across what appear to be authentic OAuth processes.
Since the initial request is made to Google's official domain, DNS-based filters or firewall rules likewise provide only a limited level of security. Even the best endpoint protection systems in a corporate setting could have trouble spotting this activity if they mainly rely on domain reputation or fail to check how dynamic scripts are executed in browsers.
While skilled users and cybersecurity teams can use content inspection proxies or behavioural analysis tools to detect abnormalities like this, regular users remain vulnerable. Limiting third-party scripts, isolating browser sessions for financial transactions, and being watchful for unusual site behaviour could all help reduce risk in the short term.