Hackers Use Invisible Unicode Trick to Hide Phishing Attacks

 

Cybercriminals have discovered a new way to conceal malicious code inside phishing attacks by using invisible Unicode characters. This technique, identified by Juniper Threat Labs, has been actively used in attacks targeting affiliates of a U.S. political action committee (PAC). By making their scripts appear as blank space, hackers can evade detection from traditional security tools and increase the likelihood of successfully compromising victims. 

The attack, first observed in early January 2025, is more advanced than typical phishing campaigns. Hackers customized their messages using personal, non-public details about their targets, making the emails seem more legitimate. They also implemented various tricks to avoid detection, such as inserting debugger breakpoints and using timing checks to prevent cybersecurity professionals from analyzing the script. 

Additionally, they wrapped phishing links inside multiple layers of Postmark tracking links, making it harder to trace the final destination of the attack. The method itself isn’t entirely new. In October 2024, JavaScript developer Martin Kleppe introduced the idea as an experimental programming technique. However, cybercriminals quickly adapted it for phishing attacks. 

The trick works by converting each character in a JavaScript script into an 8-bit binary format. Instead of using visible numbers like ones and zeros, attackers replace them with invisible Hangul Unicode characters, such as U+FFA0 and U+3164. Since these characters don’t appear on-screen, the malicious code looks completely empty, making it difficult to detect with the naked eye or automated security scans. 

The hidden script is stored as a property inside a JavaScript object, appearing as blank space. A separate bootstrap script then retrieves the hidden payload using a JavaScript Proxy get() trap. When accessed, this proxy deciphers the invisible Unicode characters back into binary, reconstructing the original JavaScript code and allowing the attack to execute. To make detection even more difficult, hackers have layered additional evasion techniques. They use base64 encoding to further disguise the script and implement anti-debugging measures. If the script detects that it’s being analyzed—such as when someone tries to inspect it with a debugger—it will shut down immediately and redirect the user to a harmless website. 

This prevents cybersecurity researchers from easily studying the malware. This technique is particularly dangerous because it allows attackers to blend their malicious code into legitimate scripts without raising suspicion. The invisible payload can be injected into otherwise safe websites, and since it appears as empty space, many security tools may fail to detect it. 

Juniper Threat Labs linked two of the domains used in this campaign to the Tycoon 2FA phishing kit, a tool previously associated with large-scale phishing operations. This connection suggests that the technique could soon be adopted by other cybercriminals. As attackers continue to develop new evasion strategies, cybersecurity teams will need to create better detection methods to counter these hidden threats before they cause widespread damage.