D-Shortiez Malvertising Campaign Hijacks WebKit Back-Button For Forced Redirects

In the ever-evolving world of malvertising, where bad actors continually refine their techniques, a new campaign targeting Apple Safari users has surfaced.

Known as D-Shortiez, this campaign exploits a back-button hijack technique in Safari to force redirections. This tactic effectively traps victims in malicious click chains that lead to scams.

The key component of this campaign lies in a JavaScript payload that manipulates the browser’s history.pushState method.

By using this function, the threat actor adds an empty entry to the browser’s history stack, which effectively neutralizes the back button. If the user navigates back, the onpopstate event triggers, redirecting the victim to a new malicious URL.

This technique is particularly effective because it prevents users from leaving the page by clicking the back button, a common action for individuals trying to avoid unwanted sites.

The attackers use this trick to keep users on malicious websites where they are typically presented with scams such as fake tech support offers or phishing forms.

Testing The Exploit Across Browsers

The exploit was tested across several major browsers. While most browsers responded as expected, Safari, in particular, reacted differently.

By using the back-button hijack technique, the attackers created an uninterrupted flow of redirections, increasing the likelihood of successful scam encounters. This forced redirect could mislead the user into interacting with malicious content they might otherwise have avoided.

For example, the following code snippet was used to test the exploit:

redirectUrl = 'http://google.com/search?q=';

if (window.top.history && window.top.history.pushState) {

    window.top.history.pushState(null, null, '');

    window.top.onpopstate = function (event) {

        window.top.location.href = redirectUrl + 'back';

    };

    let u1 = redirectUrl + 'click';

    window.top.document.body.addEventListener('click', function () { window.top.location.href = u1; }, true);

}

When this code was executed on Safari, the result was clear: the back button was hijacked, trapping the victim in the redirect loop, and the attacker had full control over the navigation flow.

The D-Shortiez campaign has been highly active, with over 300 million malicious ad impressions served, primarily targeting U.S. users but also trickling into Canada and parts of Europe. The attacks have been consistent since August 2025, with periods of intense activity.

Data analysis of the campaign’s reach shows a distinct preference for iOS users, indicating that D-Shortiez has focused efforts on Apple’s mobile operating system. The increased targeting of Safari users further underscores the campaign’s scale and growing impact on the user base.

Timeline and Resolution

The issue was reported to Apple in late September 2025. By January 2026, a security update was issued to address the Confiant back-button hijack vulnerability in Safari (Reference: Apple’s Safari security update).

Metric	Details	Source
Impressions	300M+ (6 months)	Confiant telemetry
Top Geo	US (primary), CA/EU (secondary)	Confiant trends
Platform	iOS/Safari (predominant)	Confiant analysis
Activity	Bursts since Aug 2025	Confiant graphs

The D-Shortiez malware campaign is a reminder of the evolving sophistication of web-based attacks. By targeting browser-specific vulnerabilities, this campaign demonstrates how minor weaknesses can be exploited for large-scale malicious gains.

Although Apple has addressed the issue with an update, it’s a timely reminder for users and organizations to stay vigilant against increasingly subtle and persistent malvertising techniques.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post D-Shortiez Malvertising Campaign Hijacks WebKit Back-Button For Forced Redirects appeared first on Cyber Security News.