Chinese Malware Delivery Websites
· Published 16/01/2025 11:00 · Modified 16/01/2025 12:00
Essential information
- Published
- 16/01/2025 11:00
- Modified
- 16/01/2025 12:00
- Tags
- 2025-01-16 apt chinese-speaking users credential-theft farfli gh0strat hack-for-hire lummastealer malware delivery redline remkos rat remote access trojans spoofed websites valleyrat
- Related entities
- 200 observables, 1 intrusion sets (apt), 22 techniques (mitre), 6 malware, 3 others
Description
A cluster of over 400 domains have been registered since June 2024 to host spoofed websites delivering malware to Chinese-speaking users. The sites imitate popular applications like web browsers, VPNs, messaging apps, and crypto wallets. Identified malware includes Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, and RedLine. The domains share registration details, infrastructure, and website configurations. Lures include fake login pages and software downloads. The activity shows similarities to the previously reported APT group SilverFox, suggesting an organized hack-for-hire or state-sponsored operation targeting Chinese speakers, possibly for credential theft and system access.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Observables (200)
47.242.127.63134.122.135.95http://quickqi.net/assets/download/quicqk66.12.msihttp://quickiq.top/assets/download/win32-quicq.msihttp://mctuqqe4z.top/qucke1.xn--2_-1e1dn6n.ziphttp://kuailianlow.com/download/letspn-latest.exehttp://kuailiani.net/download/kuailian64.52.msihttp://kipkshsa.top/download/letsvppn-latest.msihttp://isdndjsq.top/assets/download/win32-quicq.msihttp://134.122.135.95:4443villa.yiluying.commumu.163i.topfs-im-kefu.7moor-fs1.comzoomi.fitziniao.fitzhekou838.cnyuduba.xyzz42f1m.topyuanq.topyqdesk.topyoudou.xyzyoudoo.topyoudoau.topyoudaoz.topyoudaox.topyoudaoie.topyoodou.topyoodau.xyzyoodaou.xyzyoodau.topyoodaoi.clubyoodao.fityodaou.topyoadao.xyzyijfu.comyiijifu.comyiiji.xyzxzpay.workxxyy.workxmengapp.topxinzuan.topxinmeng.xyzxinlang.workxingzuan.xyzxingzuan.onlinexingzuan.fitxingzuan.clubxingqiiu.clubxiaohuojians.topximmlang.clubwymusic.topwymusic.fitwuyoujieee.comwudps.xyzwpszm.topwpsyz.topwpsxz.xyzwpsxi.clubwpsxm.xyzwpssq.topwpss.xyzwpsrs.xyzwpsrc.workwpsrc.topwpsqx.topwpsqr.xyzwpsqm.comwpsma.topwpsla.sitewpsiz.xyzwpsio.topwpsim.topwpsie.topwpsei.comwpsco.xyzwppsi.topwletsvpn.xyzwipses.fitwinzips.workwiinrar.topwinrarsz.topwhtsaps.workwhtsaps.fitwhtsaps.vipwhtsaps.clubwhtpps.workwhtpps.clubwhtpps.fitwhhapps.fitwhhapps.clubwhatsacppy.clubwhapps.fitwhapps.workwhapps.clubwangwangtalk.clubwgoole.fitwangr.clubvzvlco.topvltlpung.comvletsvpn.xyzvisvpn.cyouvibers.workvibers.topvibers.siteviber.cyouviberi.xyzvejm60.topviber.ccvb0ep.clubutuncloud.worlduq7djw.xyzuphot.netupcupe.xyztwyudoft.comuletsvpn.xyzttcy365.comtodeskzis.xyztradingview.tradetodeskze.toptodeskeq.toptodeskiz.clubtodeskei.xyztodeskc.toptodesik.toptodaski.clubtodaskek.xyztletsvpn.xyztittia.toptgsheng.topteleqpczm.clubteleqercm.workteleqcrmn.fitteleqcrmn.clubteleqcam.clubtelepwam.clubteleprzm.fittelepqrm.worktelepeqrm.fittelepcems.fittelepcem.clubteleigpcm.vipteleigpcm.clubtelegrinxkam.toptelegrpcm.xyztelegrimz.clubtelegrcm.ingtelegramn.viptelegczem.clubtelegcvme.fitteleeqcrme.topteleepcrme.workteleagrmone.topteiegram.ingtelagrmaxjsq.topteamviewers.clubt0v0hlp.toptaufp6.topsubllmatxt.topsurrl9oa.topszyyotmp.comsteams.topsublitmext.xyzsoulgou.clubsougous.xyzsougous.topsougoo.sitesoogoo.icusoogou.storesnipaste.topsmsnet.topsnapcheat.clubsmsactive.topsms-activation.clubslqdgo.clubskyes1.topsignall.xyzsignel.topshimoc.clubshanghud.comshengfuton.comshandpey.worldshandpay.topsandpray.topsandlpay.topsandipay.topsanderpay.topsalesmart.toprtuoxxsr.comrggmo7j.clubqwf123.cyouqwapmuuq.comquirkq.workquiirkq.clubquiiqq.comquiickqz.topquiicka.xyzquickxq.xyzquickqzc.topquickqza.icuquickqi.top
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 09:56 · Modified 21/12/2025 09:56
Techniques (MITRE) (22)
-
Peripheral Device Discovery
-
Automated Collection
-
Query Registry
-
Virtualization/Sandbox Evasion
-
Email Collection
-
Credentials from Password Stores
-
Data from Local System
-
Encrypted Channel
-
System Network Configuration Discovery
-
Software Discovery
-
System Information Discovery
-
Process Discovery
-
File and Directory Discovery
-
Application Layer Protocol
-
Remote Access Tools
-
User Execution
-
Data Encoding
-
System Owner/User Discovery
-
Subvert Trust Controls
-
Input Capture
-
Phishing
-
Command and Scripting Interpreter
Malware (6)
-
FamilyPublished 16/01/2025 11:00 · Modified 16/01/2025 11:00
-
FamilyPublished 19/05/2026 17:52 · Modified 19/05/2026 17:52
-
FamilyPublished 14/04/2026 08:54 · Modified 14/04/2026 08:54
-
FamilyPublished 08/06/2026 10:30 · Modified 08/06/2026 10:30
-
FamilyPublished 06/03/2025 12:31 · Modified 06/03/2025 12:31
-
FamilyPublished 08/05/2026 11:31 · Modified 08/05/2026 11:31
Others (3)
- Hong Kong
- China
- Malaysia