Researchers identified a watering hole campaign attributed to APT TA423 that deploys ScanBox, a JavaScript-based reconnaissance tool. The attack vector targets website visitors through compromised legitimate sites, forcing malicious code execution on victim browsers. ScanBox performs keystroke logging and collects system reconnaissance data before lateral movement or payload deployment. APT TA423 operates with a focus on espionage objectives and has previously conducted similar watering hole operations against specific sectors. The JavaScript approach allows the threat actor to bypass certain network controls by executing reconnaissance in-browser without requiring binary execution or elevated privileges. Defenders should monitor for anomalous JavaScript execution on web properties, implement content security policies to restrict unauthorized script loading, and analyze traffic for connections to known ScanBox command and control infrastructure. Organizations should apply patches to web applications and conduct regular security audits of internet-facing systems to identify compromised assets before attackers establish persistent access. Detection of this campaign underscores the continued effectiveness of watering hole attacks against targeted victim sets where APT TA423 maintains strategic interest.