{ "name": "Chinese Malware Delivery Domains: Part III", "slug": "chinese-malware-delivery-domains-part-iii", "description": "This report details an ongoing campaign by a threat actor operating during Chinese time zone hours, targeting Chinese-speaking individuals and entities globally. Since June 2023, the actor has created over 2,800 domains for malware delivery, primarily targeting Windows systems through fake application download sites and update prompts. The actor has made operational changes, including anti-automation measures, reduced site tracker services, increased server distribution, and more discreet registration details. The campaign uses fake login pages, marketing apps, and cryptocurrency-related apps to distribute malware. The actor's motivations appear to be financially driven, potentially including credential theft, financial theft, and access brokering. The report emphasizes the importance of user awareness, enhanced security measures, and multi-layered defense strategies to counter this persistent threat.", "published": "2025-07-18T05:34:20+00:00", "created_at": "2025-07-18T05:34:20+00:00", "modified_at": "2025-07-18T06:25:32+00:00", "created_at_opencti": "2025-07-18T05:34:20+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-07-18", "cryptocurrency", "fake updates", "phishing", "windows" ], "related_entities": { "observables": [ { "id": "", "name": "11.5.0.116" }, { "id": "", "name": "www.gah566w6wefbhawo.top" }, { "id": "", "name": "s3trrreow-s3-oss.top" }, { "id": "", "name": "letsvpn.luxe" }, { "id": "", "name": "fuainfagk.aws" }, { "id": "", "name": "kl.sxlaowan.top" }, { "id": "", "name": "download.dwladold.xyz" }, { "id": "", "name": "downb.andyvpn2.com" }, { "id": "", "name": "zzyewei.com" }, { "id": "", "name": "zumacaya.com" }, { "id": "", "name": "zubrowska.com" }, { "id": "", "name": "zorkhun.com" }, { "id": "", "name": "zoopayne.com" }, { "id": "", "name": "zoieart.com" }, { "id": "", "name": "zhufeikeji.com" }, { "id": "", "name": "zhaozifang.com" }, { "id": "", "name": "zhanxb.com" }, { "id": "", "name": "zelslon.com" }, { "id": "", "name": "zacpicto.com" }, { "id": "", "name": "ywashst.com" }, { "id": "", "name": "yudulife.com" }, { "id": "", "name": "ytsanniu.com" }, { "id": "", "name": "ytbondhot.com" }, { "id": "", "name": "yipikayei.com" }, { "id": "", "name": "yomuslim.com" }, { "id": "", "name": "yilufac.cyou" }, { "id": "", "name": "yikahook.com" }, { "id": "", "name": "yeepays.xyz" }, { "id": "", "name": "yeepays.top" }, { "id": "", "name": "xtubegirl.com" }, { "id": "", "name": "xtremefp.com" }, { "id": "", "name": "xsviagra.com" }, { "id": "", "name": "xrisima.com" }, { "id": "", "name": "xo3895.com" }, { "id": "", "name": "xiaohuojianjsq.com" }, { "id": "", "name": "xiaohuojianjsq.cn" }, { "id": "", "name": "xiaohuojianjiasuqi.cn" }, { "id": "", "name": "xhonk.com" }, { "id": "", "name": "xhmxgg.com" }, { "id": "", "name": "xggf.shop" }, { "id": "", "name": "xeitosas.com" }, { "id": "", "name": "xanarts.com" }, { "id": "", "name": "x4radio.com" }, { "id": "", "name": "x21ids.com" }, { "id": "", "name": "wuxikezhu.com" }, { "id": "", "name": "wyunm.top" }, { "id": "", "name": "wspoo.top" }, { "id": "", "name": "wpzs.xyz" }, { "id": "", "name": "wpszx.top" }, { "id": "", "name": "wpsso.top" }, { "id": "", "name": "wpsq.xyz" }, { "id": "", "name": "wpfosterx.com" }, { "id": "", "name": "wopred.com" }, { "id": "", "name": "wooahpet.com" }, { "id": "", "name": "wmfutbol.com" }, { "id": "", "name": "wmcazino.com" }, { "id": "", "name": "wjfsports.com" }, { "id": "", "name": "winner321.com" }, { "id": "", "name": "winiscab.com" }, { "id": "", "name": "willahome.com" }, { "id": "", "name": "wikijojo.com" }, { "id": "", "name": "whatsappweb.wang" }, { "id": "", "name": "whatsappweb.store" }, { "id": "", "name": "whastocp.top" }, { "id": "", "name": "wferreira.com" }, { "id": "", "name": "wetbetty.com" }, { "id": "", "name": "weeblys.com" }, { "id": "", "name": "webnedio.com" }, { "id": "", "name": "web-letsvpn.com" }, { "id": "", "name": "wdi-th.com" }, { "id": "", "name": "waxnkicks.com" }, { "id": "", "name": "watson37.com" }, { "id": "", "name": "w6vsw12.com" }, { "id": "", "name": "voyaparis.com" }, { "id": "", "name": "viuvidio.com" }, { "id": "", "name": "violarium.com" }, { "id": "", "name": "viggossi.com" }, { "id": "", "name": "viagradex.com" }, { "id": "", "name": "viagraam.com" }, { "id": "", "name": "verttuyau.com" }, { "id": "", "name": "valiantho.com" }, { "id": "", "name": "v66vivo.com" }, { "id": "", "name": "utopiamas.com" }, { "id": "", "name": "uyoyahya.com" }, { "id": "", "name": "urkobtt.com" }, { "id": "", "name": "upc-ube.com" }, { "id": "", "name": "uppaycn.com" }, { "id": "", "name": "up2cracks.com" }, { "id": "", "name": "ullfoll.com" }, { "id": "", "name": "ummikoki.com" }, { "id": "", "name": "ukpaycn.com" }, { "id": "", "name": "ugg-mall.com" }, { "id": "", "name": "ufa1819.com" }, { "id": "", "name": "uehxu.shop" }, { "id": "", "name": "txjsq.com" }, { "id": "", "name": "twtmag.com" }, { "id": "", "name": "tvboxbg.com" }, { "id": "", "name": "tumayig.com" }, { "id": "", "name": "tuspdf.com" }, { "id": "", "name": "tuilianke.com" }, { "id": "", "name": "tslatgooglefyng8.top" }, { "id": "", "name": "ttvcc.com" }, { "id": "", "name": "tsdblogs.com" }, { "id": "", "name": "ts911plus.com" }, { "id": "", "name": "troutdiva.com" }, { "id": "", "name": "triwww.com" }, { "id": "", "name": "tripfabio.com" }, { "id": "", "name": "trikasik.com" }, { "id": "", "name": "traveleor.com" }, { "id": "", "name": "transleasy.top" }, { "id": "", "name": "translatgooglefyng.top" }, { "id": "", "name": "translategoogle.top" }, { "id": "", "name": "tracyxo.com" }, { "id": "", "name": "tp4ww.com" }, { "id": "", "name": "totogogo1.com" }, { "id": "", "name": "tosunlab.com" }, { "id": "", "name": "tommakau.com" }, { "id": "", "name": "tokomira.com" }, { "id": "", "name": "todske.top" }, { "id": "", "name": "todinhhop.com" }, { "id": "", "name": "todeskzx.top" }, { "id": "", "name": "todekx.top" }, { "id": "", "name": "todeksx.top" }, { "id": "", "name": "tmourning.com" }, { "id": "", "name": "tjdxdgg.com" }, { "id": "", "name": "tianxingjiasuqi.cn" }, { "id": "", "name": "thkjzc.com" }, { "id": "", "name": "thenzp.com" }, { "id": "", "name": "thevkinfo.com" }, { "id": "", "name": "theipu.com" }, { "id": "", "name": "theamaraz.com" }, { "id": "", "name": "thaoandli.com" }, { "id": "", "name": "telegramweb.ltd" }, { "id": "", "name": "telegramweb.fun" }, { "id": "", "name": "tekboe.com" }, { "id": "", "name": "tdsek.top" }, { "id": "", "name": "tawakun.com" }, { "id": "", "name": "tat-ology.com" }, { "id": "", "name": "tangjihz.com" }, { "id": "", "name": "taloluck.com" }, { "id": "", "name": "tadacipla.com" }, { "id": "", "name": "taasg.com" }, { "id": "", "name": "swejazz.com" }, { "id": "", "name": "sutz0dq.top" }, { "id": "", "name": "supurinto.com" }, { "id": "", "name": "superpva.com" }, { "id": "", "name": "sunwarez.com" }, { "id": "", "name": "stubbadub.com" }, { "id": "", "name": "stgmetall.com" }, { "id": "", "name": "sterocore.com" }, { "id": "", "name": "stapons.com" }, { "id": "", "name": "stacydoe.com" }, { "id": "", "name": "ssjplanet.com" }, { "id": "", "name": "ssamnet.com" }, { "id": "", "name": "srimgr.com" }, { "id": "", "name": "srboca.com" }, { "id": "", "name": "sqdeco.com" }, { "id": "", "name": "spreeblog.com" }, { "id": "", "name": "sportsbng.com" }, { "id": "", "name": "spaceboos.com" }, { "id": "", "name": "soundohio.com" }, { "id": "", "name": "sosyalogi.com" }, { "id": "", "name": "sosswebb.com" }, { "id": "", "name": "soretoga.com" }, { "id": "", "name": "sonvuco.com" }, { "id": "", "name": "sonalaec.com" }, { "id": "", "name": "sngea.com" }, { "id": "", "name": "smileyoo.com" }, { "id": "", "name": "slviagra.com" }, { "id": "", "name": "sluv2.com" }, { "id": "", "name": "sl2uk.com" }, { "id": "", "name": "sivuca.com" }, { "id": "", "name": "simplyut.com" }, { "id": "", "name": "simepk.com" }, { "id": "", "name": "sikhspeak.com" }, { "id": "", "name": "sikiublog.com" }, { "id": "", "name": "sijeka.com" }, { "id": "", "name": "shoqase.com" }, { "id": "", "name": "shtikl.com" }, { "id": "", "name": "sheepkf.com" }, { "id": "", "name": "shayujsq.cn" }, { "id": "", "name": "shanggames.com" }, { "id": "", "name": "shandianjsq.com" }, { "id": "", "name": "shandianjiasuqi.com" }, { "id": "", "name": "shandianjiasuqi.cn" }, { "id": "", "name": "sgklrm.com" }, { "id": "", "name": "sfztgz.com" }, { "id": "", "name": "sgcausa.com" }, { "id": "", "name": "sfpxfpcfp.com" }, { "id": "", "name": "sfpropose.com" }, { "id": "", "name": "seyantk.com" }, { "id": "", "name": "sexkeks.com" }, { "id": "", "name": "sew-rite.com" }, { "id": "", "name": "seriebkk.com" }, { "id": "", "name": "sehablade.com" }, { "id": "", "name": "segurogta.com" }, { "id": "", "name": "sboarena.com" }, { "id": "", "name": "seedole.com" }, { "id": "", "name": "sattahelp.com" }, { "id": "", "name": "satricky.com" } ], "intrusion_sets": [ { "id": "1f9f9be4-33a2-403b-8cc8-9dba393d8f95", "name": "SilverFox", "slug": "silverfox" } ], "attack_patterns": [ { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" } ], "others": [ { "id": "", "name": "China" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Finance" } ] }, "external_refs": [ "https://dti.domaintools.com/chinese-malware-delivery-domains-part-iii", "https://otx.alienvault.com/pulse/6879f8fcecc13fd4ad77e76d" ] }