Brad Duncan, security researcher at Rackspace, writes about the evolving javascript (malware) obfuscation, on the Internet Storm Center InfoSec Community Forums.

Since May of 2014, I’ve been tracking a particular group that uses the Sweet Orange exploit kit to deliver malware. This group also uses obfuscation to make it harder to detect the infection chain of events.

By 2015, this group included more obfuscation within the initial javascript. It’s a relatively minor change in the overall traffic patterns; however, the result causes more work to detect the malicious activity.

Either way, the infection chain flows according to following block diagram:

Read on at ISC InfoSec Community Forums post An Example of Evolving Obfuscation