{ "name": "Chinese Malware Delivery Websites", "slug": "chinese-malware-delivery-websites", "description": "A cluster of over 400 domains have been registered since June 2024 to host spoofed websites delivering malware to Chinese-speaking users. The sites imitate popular applications like web browsers, VPNs, messaging apps, and crypto wallets. Identified malware includes Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, and RedLine. The domains share registration details, infrastructure, and website configurations. Lures include fake login pages and software downloads. The activity shows similarities to the previously reported APT group SilverFox, suggesting an organized hack-for-hire or state-sponsored operation targeting Chinese speakers, possibly for credential theft and system access.", "published": "2025-01-16T10:00:47+00:00", "created_at": "2025-01-16T10:00:47+00:00", "modified_at": "2025-01-16T11:00:00+00:00", "created_at_opencti": "2025-01-16T10:00:47+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-01-16", "apt", "chinese-speaking users", "credential-theft", "farfli", "gh0strat", "hack-for-hire", "lummastealer", "malware delivery", "redline", "remkos rat", "remote access trojans", "spoofed websites", "valleyrat" ], "related_entities": { "observables": [ { "id": "", "name": "47.242.127.63" }, { "id": "", "name": "134.122.135.95" }, { "id": "", "name": "http://quickqi.net/assets/download/quicqk66.12.msi" }, { "id": "", "name": "http://quickiq.top/assets/download/win32-quicq.msi" }, { "id": "", "name": "http://mctuqqe4z.top/qucke1.xn--2_-1e1dn6n.zip" }, { "id": "", "name": "http://kuailianlow.com/download/letspn-latest.exe" }, { "id": "", "name": "http://kuailiani.net/download/kuailian64.52.msi" }, { "id": "", "name": "http://kipkshsa.top/download/letsvppn-latest.msi" }, { "id": "", "name": "http://isdndjsq.top/assets/download/win32-quicq.msi" }, { "id": "", "name": "http://134.122.135.95:4443" }, { "id": "", "name": "villa.yiluying.com" }, { "id": "", "name": "mumu.163i.top" }, { "id": "", "name": "fs-im-kefu.7moor-fs1.com" }, { "id": "", "name": "zoomi.fit" }, { "id": "", "name": "ziniao.fit" }, { "id": "", "name": "zhekou838.cn" }, { "id": "", "name": "yuduba.xyz" }, { "id": "", "name": "z42f1m.top" }, { "id": "", "name": "yuanq.top" }, { "id": "", "name": "yqdesk.top" }, { "id": "", "name": "youdou.xyz" }, { "id": "", "name": "youdoo.top" }, { "id": "", "name": "youdoau.top" }, { "id": "", "name": "youdaoz.top" }, { "id": "", "name": "youdaox.top" }, { "id": "", "name": "youdaoie.top" }, { "id": "", "name": "yoodou.top" }, { "id": "", "name": "yoodau.xyz" }, { "id": "", "name": "yoodaou.xyz" }, { "id": "", "name": "yoodau.top" }, { "id": "", "name": "yoodaoi.club" }, { "id": "", "name": "yoodao.fit" }, { "id": "", "name": "yodaou.top" }, { "id": "", "name": "yoadao.xyz" }, { "id": "", "name": "yijfu.com" }, { "id": "", "name": "yiijifu.com" }, { "id": "", "name": "yiiji.xyz" }, { "id": "", "name": "xzpay.work" }, { "id": "", "name": "xxyy.work" }, { "id": "", "name": "xmengapp.top" }, { "id": "", "name": "xinzuan.top" }, { "id": "", "name": "xinmeng.xyz" }, { "id": "", "name": "xinlang.work" }, { "id": "", "name": "xingzuan.xyz" }, { "id": "", "name": "xingzuan.online" }, { "id": "", "name": "xingzuan.fit" }, { "id": "", "name": "xingzuan.club" }, { "id": "", "name": "xingqiiu.club" }, { "id": "", "name": "xiaohuojians.top" }, { "id": "", "name": "ximmlang.club" }, { "id": "", "name": "wymusic.top" }, { "id": "", "name": "wymusic.fit" }, { "id": "", "name": "wuyoujieee.com" }, { "id": "", "name": "wudps.xyz" }, { "id": "", "name": "wpszm.top" }, { "id": "", "name": "wpsyz.top" }, { "id": "", "name": "wpsxz.xyz" }, { "id": "", "name": "wpsxi.club" }, { "id": "", "name": "wpsxm.xyz" }, { "id": "", "name": "wpssq.top" }, { "id": "", "name": "wpss.xyz" }, { "id": "", "name": "wpsrs.xyz" }, { "id": "", "name": "wpsrc.work" }, { "id": "", "name": "wpsrc.top" }, { "id": "", "name": "wpsqx.top" }, { "id": "", "name": "wpsqr.xyz" }, { "id": "", "name": "wpsqm.com" }, { "id": "", "name": "wpsma.top" }, { "id": "", "name": "wpsla.site" }, { "id": "", "name": "wpsiz.xyz" }, { "id": "", "name": "wpsio.top" }, { "id": "", "name": "wpsim.top" }, { "id": "", "name": "wpsie.top" }, { "id": "", "name": "wpsei.com" }, { "id": "", "name": "wpsco.xyz" }, { "id": "", "name": "wppsi.top" }, { "id": "", "name": "wletsvpn.xyz" }, { "id": "", "name": "wipses.fit" }, { "id": "", "name": "winzips.work" }, { "id": "", "name": "wiinrar.top" }, { "id": "", "name": "winrarsz.top" }, { "id": "", "name": "whtsaps.work" }, { "id": "", "name": "whtsaps.fit" }, { "id": "", "name": "whtsaps.vip" }, { "id": "", "name": "whtsaps.club" }, { "id": "", "name": "whtpps.work" }, { "id": "", "name": "whtpps.club" }, { "id": "", "name": "whtpps.fit" }, { "id": "", "name": "whhapps.fit" }, { "id": "", "name": "whhapps.club" }, { "id": "", "name": "whatsacppy.club" }, { "id": "", "name": "whapps.fit" }, { "id": "", "name": "whapps.work" }, { "id": "", "name": "whapps.club" }, { "id": "", "name": "wangwangtalk.club" }, { "id": "", "name": "wgoole.fit" }, { "id": "", "name": "wangr.club" }, { "id": "", "name": "vzvlco.top" }, { "id": "", "name": "vltlpung.com" }, { "id": "", "name": "vletsvpn.xyz" }, { "id": "", "name": "visvpn.cyou" }, { "id": "", "name": "vibers.work" }, { "id": "", "name": "vibers.top" }, { "id": "", "name": "vibers.site" }, { "id": "", "name": "viber.cyou" }, { "id": "", "name": "viberi.xyz" }, { "id": "", "name": "vejm60.top" }, { "id": "", "name": "viber.cc" }, { "id": "", "name": "vb0ep.club" }, { "id": "", "name": "utuncloud.world" }, { "id": "", "name": "uq7djw.xyz" }, { "id": "", "name": "uphot.net" }, { "id": "", "name": "upcupe.xyz" }, { "id": "", "name": "twyudoft.com" }, { "id": "", "name": "uletsvpn.xyz" }, { "id": "", "name": "ttcy365.com" }, { "id": "", "name": "todeskzis.xyz" }, { "id": "", "name": "tradingview.trade" }, { "id": "", "name": "todeskze.top" }, { "id": "", "name": "todeskeq.top" }, { "id": "", "name": "todeskiz.club" }, { "id": "", "name": "todeskei.xyz" }, { "id": "", "name": "todeskc.top" }, { "id": "", "name": "todesik.top" }, { "id": "", "name": "todaski.club" }, { "id": "", "name": "todaskek.xyz" }, { "id": "", "name": "tletsvpn.xyz" }, { "id": "", "name": "tittia.top" }, { "id": "", "name": "tgsheng.top" }, { "id": "", "name": "teleqpczm.club" }, { "id": "", "name": "teleqercm.work" }, { "id": "", "name": "teleqcrmn.fit" }, { "id": "", "name": "teleqcrmn.club" }, { "id": "", "name": "teleqcam.club" }, { "id": "", "name": "telepwam.club" }, { "id": "", "name": "teleprzm.fit" }, { "id": "", "name": "telepqrm.work" }, { "id": "", "name": "telepeqrm.fit" }, { "id": "", "name": "telepcems.fit" }, { "id": "", "name": "telepcem.club" }, { "id": "", "name": "teleigpcm.vip" }, { "id": "", "name": "teleigpcm.club" }, { "id": "", "name": "telegrinxkam.top" }, { "id": "", "name": "telegrpcm.xyz" }, { "id": "", "name": "telegrimz.club" }, { "id": "", "name": "telegrcm.ing" }, { "id": "", "name": "telegramn.vip" }, { "id": "", "name": "telegczem.club" }, { "id": "", "name": "telegcvme.fit" }, { "id": "", "name": "teleeqcrme.top" }, { "id": "", "name": "teleepcrme.work" }, { "id": "", "name": "teleagrmone.top" }, { "id": "", "name": "teiegram.ing" }, { "id": "", "name": "telagrmaxjsq.top" }, { "id": "", "name": "teamviewers.club" }, { "id": "", "name": "t0v0hlp.top" }, { "id": "", "name": "taufp6.top" }, { "id": "", "name": "subllmatxt.top" }, { "id": "", "name": "surrl9oa.top" }, { "id": "", "name": "szyyotmp.com" }, { "id": "", "name": "steams.top" }, { "id": "", "name": "sublitmext.xyz" }, { "id": "", "name": "soulgou.club" }, { "id": "", "name": "sougous.xyz" }, { "id": "", "name": "sougous.top" }, { "id": "", "name": "sougoo.site" }, { "id": "", "name": "soogoo.icu" }, { "id": "", "name": "soogou.store" }, { "id": "", "name": "snipaste.top" }, { "id": "", "name": "smsnet.top" }, { "id": "", "name": "snapcheat.club" }, { "id": "", "name": "smsactive.top" }, { "id": "", "name": "sms-activation.club" }, { "id": "", "name": "slqdgo.club" }, { "id": "", "name": "skyes1.top" }, { "id": "", "name": "signall.xyz" }, { "id": "", "name": "signel.top" }, { "id": "", "name": "shimoc.club" }, { "id": "", "name": "shanghud.com" }, { "id": "", "name": "shengfuton.com" }, { "id": "", "name": "shandpey.world" }, { "id": "", "name": "shandpay.top" }, { "id": "", "name": "sandpray.top" }, { "id": "", "name": "sandlpay.top" }, { "id": "", "name": "sandipay.top" }, { "id": "", "name": "sanderpay.top" }, { "id": "", "name": "salesmart.top" }, { "id": "", "name": "rtuoxxsr.com" }, { "id": "", "name": "rggmo7j.club" }, { "id": "", "name": "qwf123.cyou" }, { "id": "", "name": "qwapmuuq.com" }, { "id": "", "name": "quirkq.work" }, { "id": "", "name": "quiirkq.club" }, { "id": "", "name": "quiiqq.com" }, { "id": "", "name": "quiickqz.top" }, { "id": "", "name": "quiicka.xyz" }, { "id": "", "name": "quickxq.xyz" }, { "id": "", "name": "quickqzc.top" }, { "id": "", "name": "quickqza.icu" }, { "id": "", "name": "quickqi.top" } ], "malware": [ { "id": "053c6a69-a1b3-424a-8613-073cc2a3b5bd", "name": "RemKos RAT", "slug": "remkos-rat" }, { "id": "legacy:malware:22cebae9fb28ad81", "name": "LummaStealer", "slug": "lummastealer" }, { "id": "936ec9c4-eac8-4c01-852e-9e2838eb9fdc", "name": "Gh0stRAT", "slug": "gh0strat" }, { "id": "legacy:malware:4f9f68da3d056e8c", "name": "ValleyRAT", "slug": "valleyrat" }, { "id": "00e768b5-8700-44f9-9462-b8601564e607", "name": "Farfli", "slug": "farfli" }, { "id": "legacy:malware:25878cbc384641c1", "name": "RedLine", "slug": "redline" } ], "intrusion_sets": [ { "id": "1f9f9be4-33a2-403b-8cc8-9dba393d8f95", "name": "SilverFox", "slug": "silverfox" } ], "attack_patterns": [ { "id": "d955a391-6fd0-4eb2-8767-973c39c761e0", "name": "T1120" }, { "id": "436e795b-553f-444e-b837-65818d8f539f", "name": "T1119" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "32817170-4c07-427e-b8a5-80a733ae2550", "name": "T1497" }, { "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc", "name": "T1114" }, { "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7", "name": "T1555" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "29398669-98ed-4766-9dac-f9632f7175ff", "name": "T1518" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb", "name": "T1132" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "6aa7866f-9c1f-4159-938a-10a6adf41646", "name": "T1553" }, { "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5", "name": "T1056" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "Hong Kong" }, { "id": "", "name": "China" }, { "id": "", "name": "Malaysia" } ] }, "external_refs": [ "https://dti.domaintools.com/chinese-malware-delivery-websites/", "https://otx.alienvault.com/pulse/6788e6dfd683ad1bdd9b3f3b" ] }