Skip to main content
ThreatOther

Hangul-filler binary payload — 16+ consecutive U+FFA0 / U+3164 runs encoding invisible JS (Tycoon 2FA PhaaS technique)

hangul-filler-invisible-javascript-payload

What this tier means

High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.

How Gorganizer detects this

HTML body contains 16+ consecutive U+FFA0 (Halfwidth Hangul Filler) or U+3164 (Hangul Filler) characters — a steganographic technique that encodes JavaScript as a binary string over the two codepoints. Both render as invisible whitespace in every major browser. Pioneered by Martin Kleppe (Oct 2024), first observed in the wild by Juniper Threat Labs in January 2025, and adopted into the Tycoon 2FA PhaaS kit in April 2025 (LevelBlue SpiderLabs + SocRadar). Distinct from existing `body-invisible-char-obfuscation` which fires on zero-width chars INTERLEAVED between Latin letters — this fires on pure consecutive runs. Legitimate Korean email uses composed Hangul syllables (U+AC00-U+D7A3) and Jamo (U+1100-U+11FF), never the standalone fillers.

False-positive guard

Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.

About the scoring engine

Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.

Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.

Browse all signalsSafety guaranteesJSON

Ready to clean your inbox?

Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.

Get started