216.73.217.22

Chinese Malware Delivery Domains: Part III

· Published 18/07/2025 07:34 · Modified 18/07/2025 08:25

Export JSON

Essential information

Published
18/07/2025 07:34
Modified
18/07/2025 08:25
Tags
2025-07-18 cryptocurrency fake updates phishing windows
Related entities
200 observables, 1 intrusion sets (apt), 4 techniques (mitre), 3 others

Description

This report details an ongoing campaign by a threat actor operating during Chinese time zone hours, targeting Chinese-speaking individuals and entities globally. Since June 2023, the actor has created over 2,800 domains for malware delivery, primarily targeting systems through fake application download sites and update prompts. The actor has made operational changes, including anti-automation measures, reduced site tracker services, increased server distribution, and more discreet registration details. The campaign uses fake login pages, marketing apps, and -related apps to distribute malware. The actor's motivations appear to be financially driven, potentially including credential theft, financial theft, and access brokering. The report emphasizes the importance of user awareness, enhanced security measures, and multi-layered defense strategies to counter this persistent threat.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (200)

  • 11.5.0.116
  • www.gah566w6wefbhawo.top
  • s3trrreow-s3-oss.top
  • letsvpn.luxe
  • fuainfagk.aws
  • kl.sxlaowan.top
  • download.dwladold.xyz
  • downb.andyvpn2.com
  • zzyewei.com
  • zumacaya.com
  • zubrowska.com
  • zorkhun.com
  • zoopayne.com
  • zoieart.com
  • zhufeikeji.com
  • zhaozifang.com
  • zhanxb.com
  • zelslon.com
  • zacpicto.com
  • ywashst.com
  • yudulife.com
  • ytsanniu.com
  • ytbondhot.com
  • yipikayei.com
  • yomuslim.com
  • yilufac.cyou
  • yikahook.com
  • yeepays.xyz
  • yeepays.top
  • xtubegirl.com
  • xtremefp.com
  • xsviagra.com
  • xrisima.com
  • xo3895.com
  • xiaohuojianjsq.com
  • xiaohuojianjsq.cn
  • xiaohuojianjiasuqi.cn
  • xhonk.com
  • xhmxgg.com
  • xggf.shop
  • xeitosas.com
  • xanarts.com
  • x4radio.com
  • x21ids.com
  • wuxikezhu.com
  • wyunm.top
  • wspoo.top
  • wpzs.xyz
  • wpszx.top
  • wpsso.top
  • wpsq.xyz
  • wpfosterx.com
  • wopred.com
  • wooahpet.com
  • wmfutbol.com
  • wmcazino.com
  • wjfsports.com
  • winner321.com
  • winiscab.com
  • willahome.com
  • wikijojo.com
  • whatsappweb.wang
  • whatsappweb.store
  • whastocp.top
  • wferreira.com
  • wetbetty.com
  • weeblys.com
  • webnedio.com
  • web-letsvpn.com
  • wdi-th.com
  • waxnkicks.com
  • watson37.com
  • w6vsw12.com
  • voyaparis.com
  • viuvidio.com
  • violarium.com
  • viggossi.com
  • viagradex.com
  • viagraam.com
  • verttuyau.com
  • valiantho.com
  • v66vivo.com
  • utopiamas.com
  • uyoyahya.com
  • urkobtt.com
  • upc-ube.com
  • uppaycn.com
  • up2cracks.com
  • ullfoll.com
  • ummikoki.com
  • ukpaycn.com
  • ugg-mall.com
  • ufa1819.com
  • uehxu.shop
  • txjsq.com
  • twtmag.com
  • tvboxbg.com
  • tumayig.com
  • tuspdf.com
  • tuilianke.com
  • tslatgooglefyng8.top
  • ttvcc.com
  • tsdblogs.com
  • ts911plus.com
  • troutdiva.com
  • triwww.com
  • tripfabio.com
  • trikasik.com
  • traveleor.com
  • transleasy.top
  • translatgooglefyng.top
  • translategoogle.top
  • tracyxo.com
  • tp4ww.com
  • totogogo1.com
  • tosunlab.com
  • tommakau.com
  • tokomira.com
  • todske.top
  • todinhhop.com
  • todeskzx.top
  • todekx.top
  • todeksx.top
  • tmourning.com
  • tjdxdgg.com
  • tianxingjiasuqi.cn
  • thkjzc.com
  • thenzp.com
  • thevkinfo.com
  • theipu.com
  • theamaraz.com
  • thaoandli.com
  • telegramweb.ltd
  • telegramweb.fun
  • tekboe.com
  • tdsek.top
  • tawakun.com
  • tat-ology.com
  • tangjihz.com
  • taloluck.com
  • tadacipla.com
  • taasg.com
  • swejazz.com
  • sutz0dq.top
  • supurinto.com
  • superpva.com
  • sunwarez.com
  • stubbadub.com
  • stgmetall.com
  • sterocore.com
  • stapons.com
  • stacydoe.com
  • ssjplanet.com
  • ssamnet.com
  • srimgr.com
  • srboca.com
  • sqdeco.com
  • spreeblog.com
  • sportsbng.com
  • spaceboos.com
  • soundohio.com
  • sosyalogi.com
  • sosswebb.com
  • soretoga.com
  • sonvuco.com
  • sonalaec.com
  • sngea.com
  • smileyoo.com
  • slviagra.com
  • sluv2.com
  • sl2uk.com
  • sivuca.com
  • simplyut.com
  • simepk.com
  • sikhspeak.com
  • sikiublog.com
  • sijeka.com
  • shoqase.com
  • shtikl.com
  • sheepkf.com
  • shayujsq.cn
  • shanggames.com
  • shandianjsq.com
  • shandianjiasuqi.com
  • shandianjiasuqi.cn
  • sgklrm.com
  • sfztgz.com
  • sgcausa.com
  • sfpxfpcfp.com
  • sfpropose.com
  • seyantk.com
  • sexkeks.com
  • sew-rite.com
  • seriebkk.com
  • sehablade.com
  • segurogta.com
  • sboarena.com
  • seedole.com
  • sattahelp.com
  • satricky.com

Intrusion sets (APT) (1)

  • SilverFox
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 09:56 · Modified 21/12/2025 09:56

Techniques (MITRE) (4)

  • T1055
    Process Injection
  • T1140
    Deobfuscate/Decode Files or Information
  • T1027
    Obfuscated Files or Information
  • T1078
    Valid Accounts

Others (3)

  • China
  • Technology
  • Finance

External references