D-Shortiez malvertising campaign traps Safari users with back-button hijack tactics
5 min. read 
Published on
A persistent malvertising operation known as D-Shortiez has been using forced redirects and browser-manipulation tricks to push users into scam pages, with iPhone and Safari users among its most frequent targets. Confiant says it has tracked the group since 2022 and documented a campaign in 2023 that abused WebKit behavior to hijack the browser back button, then followed that with high-volume scam activity in 2025 that delivered more than 300 million malicious ad impressions aimed mostly at U.S. users.
The core problem is simple. A user lands on a page through a malicious ad, tries to go back, and the page pushes them forward again into the scam flow. Confiant says D-Shortiez combined forced redirects with fake prize pages and tech-support scam pages, creating a more aggressive trap than standard malvertising that only redirects once.
One important correction to the sample article: the Apple patch reference it gives does not line up with current Apple records. HT213600 refers to Safari 16.3 from January 2023, not a January 23, 2026 Safari security update. Apple’s current security release pages show Safari 26.3 released on February 11, 2026, and Apple’s public note for Safari 26.3 does not mention a back-button WebKit fix like the one described in the sample.
What D-Shortiez is doing
Confiant’s 2025 write-up describes D-Shortiez as a China-based threat actor that runs fake “you won” pages and tech-support scams through forced redirects. The company says the group stands out because it pairs scam landing pages with technical redirect tricks that keep users stuck in the flow longer than a normal ad scam would. Confiant also says the campaign primarily hit U.S. audiences, with spillover into Canada.
That broader description matches Confiant’s older reporting on browser-level malvertising abuse. In its 2023 D-Shortiez research, cited by Confiant’s later threat index, the company described a WebKit back-button hijack that targeted Safari behavior. The idea was not to exploit a full remote-code-execution bug, but to abuse session history and redirect behavior so victims could not easily return to the page they came from.
What is verified, and what is not
| Claim | Status | What the evidence supports |
|---|---|---|
| D-Shortiez is a real malvertising actor tracked by Confiant | Confirmed | Confiant says it has tracked the group since 2022. |
| The group used WebKit back-button hijack techniques | Confirmed by Confiant’s cited prior research | Confiant’s 2025 report references its February 2023 D-Shortiez WebKit back-button hijack research. |
| More than 300 million malicious ad impressions were served | Confirmed by Confiant | Confiant says D-Shortiez had served over 300 million malicious impressions by 2023 and continued high-volume scam operations in 2025. |
| iOS and Safari users were primary targets | Supported | Confiant’s earlier and later reporting ties the actor strongly to mobile Safari targeting and iPhone-heavy scam traffic. |
| Apple fixed this exact issue on January 23, 2026 via HT213600 | Not supported | Apple records show HT213600 is a 2023 Safari 16.3 bulletin, not a 2026 update. |
Why this technique works so well
Forced redirects already give scammers a strong starting point because the victim does not need to click a fake download button or submit credentials right away. The redirect throws them into a high-pressure page first. When attackers add session-history abuse on top, the victim may feel trapped or confused, which increases the chance they engage with the scam. Confiant says D-Shortiez used this model both for fake reward pages and for scare-style tech-support scams.
Safari and WebKit quirks have shown up in malvertising campaigns before. Confiant’s earlier WebKit research, later covered by Ars Technica, showed how attackers exploited browser behavior to break out of ad sandbox restrictions and redirect users without normal interaction. That older case involved a different vulnerability and different actor activity, but it shows why mobile Safari remains attractive terrain for malvertisers hunting for small browser advantages.
What users and defenders should do
- Update Safari and iOS to the latest available release. Apple’s current security pages show Safari 26.3 and iOS 26.3 as the latest supported releases in February 2026.
- Treat sudden prize pages and fake virus alerts as scams, especially when they appear after a redirect rather than a direct search result. Confiant links D-Shortiez to both fake reward pages and tech-support scams.
- Audit ad supply chains and redirect behavior if you run publisher or ad-tech infrastructure. Confiant says forced redirects remain active through mainstream ad channels and fake ad-serving domains.
- Block known D-Shortiez domains and infrastructure using updated IOC lists from Confiant’s July 2025 write-up.
FAQ
D-Shortiez is a malvertising actor tracked by Confiant since 2022. Confiant says the group runs fake prize scams and tech-support scams using forced redirects and browser manipulation.
It is a trick that abuses browser history behavior so pressing Back does not return the user to the previous safe page. In D-Shortiez’s case, Confiant says Safari users were pushed back into the scam flow instead.
I could not verify that claim. Apple’s public records show HT213600 belongs to Safari 16.3 from January 2023, not a 2026 patch.
No. D-Shortiez has affected broader device groups, but Confiant says iPhone and Safari users have been among the most heavily targeted audiences in this campaign family.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages