After Wednesday's unprecedented unified online yelp against SOPA and PIPA, Thursday saw a new milestone: the first direct and public activist malware from Anonymous.

A version of Anonymous' voluntary botnet software, known as LOIC (Low Orbit Ion Canon), was modified to make it not so voluntary, drafting unwary bystanders, journalists and even anons who don't support DDoS tactics into attacks on the U.S. Justice Department. Thursday's trickery seems not to have been central to the successful takedown of sites like justice.gov, RIAA.com and MPAA.com, but not all anons are pleased with forcing unwitting bystanders to join in a potentially illegal action.

The trick snagged those who happened to click on a shortened link on social-media services, expecting information on the ongoing #opmegaupload retaliation for the U.S. Justice Department's takedown of popular file sharing site Megaupload. Instead they were greeted by a Javascript version of LOIC – already firing packets at targeted websites by the time their page was loaded.

Several anons speaking to Wired on condition of anonymity voiced dismay that a tactic they consider to be the modern-day equivalent of a sit-in (denial-of-service attacks leave no lasting damage) was ethically corrupted by the new version.

"Preying on unsuspecting users is despicable," said one anon, speaking to Wired in an online chat. "We need to fight for the user, not potentially land them in jail."

As part of Thursday's raging reaction from Anonymous to the Megaupload arrests, people by the thousands voluntarily pointed the LOIC at targets like FBI.gov, DOJ.gov, MPAA.org, BMI.org, RIAA.org and copyright.gov, part of an effort that knocked these sites offline for parts of the day. The tool bombards a targeted site with traffic, in hopes of overwhelming servers so that no one can visit the site.

If enough anons choose to aim the tool at a proposed target, it gives Anonymous an easy route into press coverage without doing any lasting damage to a site. However, the tool doesn't cover users' tracks, making it simple for a targeted site to know where the attacks were coming from.

But this new malware variant emerged in the course of the operation, and not everyone that clicked on the link wanted to participate. Unwitting participants included Gawker's Adrien Chen, who blasted anons for the trick.

LOIC began as a downloadable software, but an in-browser Javascript version of LOIC has been around since 2010's Operation Payback.

The new auto-firing variant seems to have been developed as part of an occupy effort by Occupy BMV (Ocupemos La Bolsa Mexicana de Valores, or the Mexican Stock Exchange) against the Mexican treasury secretary several days before the Megaupload arrests. The adaptation doesn't seem very sophisticated, and uses a 1990s-era proxy server called anonymouse.org that doesn't hide the tracks of Javascript requests, making its addition unlikely to help its users evade detection. (A number of people are being prosecuted for allegedly using LOIC to participate in the 2010 denial of service attacks against Paypal, part of a retaliation campaign for the payment processor voluntarily cutting off donations to WikiLeaks.)

In the wake of theSOPA/PIPA protest and the Megaupload arrest, the malware JS LOIC was further modified to autofire at the US Department of Justice and was posted on a Pastehtml site. An obscured, shortened link was posted to Twitter repeatedly, mostly by Spanish language accounts, and an unknown number of people clicked on it. Without their knowledge they began automatically to DDoS the DoJ.

While this tactic was new and unsettling, it's unlikely this script made much difference in the total level of attack traffic aimed at the DoJ. The JS LOIC is not a powerful tool for overwhelming servers, and the anonymouse.org site never went down, despite being hit every time someone used the malware LOIC on the DOJ or any other target site.

Despite its small footprint and questionable ethics, the existence of the malware version may make it harder for prosecutors to prove in court that someone using the JS LOIC did so intentionally.