Tall Tales: How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression
· Published 28/04/2026 09:09 · Modified 28/04/2026 14:36
Essential information
- Published
- 28/04/2026 09:09
- Modified
- 28/04/2026 14:36
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- chinese contractors credential harvesting digital transnational repression glitter carp govershell healthkick impersonation campaigns journalist targeting oauth phishing sequin carp tibetan activists uyghur targeting
- Tags
- 2026-04-28 chinese contractors credential harvesting digital transnational repression glitter carp govershell healthkick impersonation campaigns journalist targeting oauth phishing sequin carp tibetan activists uyghur targeting
- Related entities
- 132 indicators, 132 observables, 21 techniques (mitre), 2 malware, 128 others
Description
In collaboration with the International Consortium of Investigative Journalists (ICIJ), two distinct actor clusters aligned with the People's Republic of China were identified targeting journalists and civil society members. GLITTER CARP conducted widespread credential harvesting campaigns against Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists, as well as journalists covering these communities, employing digital impersonation and fake security alerts while frequently reusing infrastructure. SEQUIN CARP specifically targeted journalists involved in ICIJ's China Targets investigation using sophisticated OAuth consent phishing attacks with well-developed personas based on co-opted narratives, though operational mistakes revealed poor persona management. Both campaigns demonstrate China's Military-Civil Fusion system leveraging private contractors to conduct digital transnational repression at scale, with targeting intensifying following the China Targets publication that exposed Chinese governme...
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Indicators (132)
-
sharelinks.info -
entpoinat.com -
myidsafety.com -
userconsola.com -
https://a.web.oauth2-signal.com -
dentialvault.com -
uzrconect.com -
gitlab-ai.com -
accpanelcenter.com -
coincarp.cash -
useverifcation.com -
profilesetup.com -
startentry.com -
gearhelix.com -
identhubs.com -
signalgroup.me -
logncntr.com -
controlprofile.com -
mlinks.info -
syandbly.online -
memburcenter.com -
chinadigitaltime.net -
loginnetal.com -
accountcentar.com -
usrcntr.com -
odview.live -
https://a.web.oauth2-signal.com/gm-oauth2-callback -
icjiorg.org -
akountcenter.com -
configuramgr.com -
useradjust.com -
logifycenter.com -
showthetrick.com -
guidefixit.com -
epochtimes.entryfortify.com -
entrnow.com -
oauth2-signal.com -
verifcredentia.com -
accopanel.com -
entryfortify.com -
browsernotifications.info -
setuppanel.com -
vibshare.me -
hsf898.com -
profilemgr.com -
acctune.com -
logncenter.com -
touzhele.fun -
ifans.online -
guardaccount.com -
userhup.com -
controhub.com -
acespoint.com -
megaview.click -
breachforums.fit -
myacceshub.com -
siginpro.com -
usrkonnect.com -
epechtimes0.org -
sharedrive.cloud -
lineman.live -
linkshub.info -
profileub.com -
signncenter.com -
ocspilots.com -
vonxnews.com -
acesportal.com -
userhubz.com -
identihive.com -
fileprev.com -
odsync.cloud -
2fa.web.oauth2-signal.com -
voinewz.com -
loginshiled.com -
google-document.com -
signinacesspoint.com -
usercontropanel.com -
neuralgiavista.com -
brighterora.com -
fileprev.info -
a.web.oauth2-signal.com -
globalobject.console.info -
signcenterr.com -
interfacily.com -
uzrcenter.com -
mercatdegirona.com -
useracess.com -
openlabc.com -
signinacessint.com -
coupangrank.kr -
proflcntr.com -
youtubenet.com -
configalign.com -
1drv.one -
akounthub.com -
pornhub-net.com -
feelitnov.com -
profilesetop.com -
authinityapp.com -
personalsafezone.com -
https://sctapi.ftqq.com:443/SCT96188ToxRyYX7UWYhASIGRXfL7AAzv.send?title=Gmail&desp=Mozilla%2F5.0%20 -
gnews.news -
redi.ink -
passionateboomers.com -
accntcntr.com -
usergateaccess.com -
lgtymp.fit -
uzrconnect.com -
oneclickautht.com -
evtreview.com -
novamecha.com -
userpref.com -
deeporbiton.com -
https://megaview.click/pdf_to_scilla -
entrzone.com -
ivycemnp.com -
userportl.wine -
secureagate.com -
telegra.live -
https://sctapi.ftqq.com -
lineme.live -
https://sctapi.ftqq.com:443/SCT269149TJZWARwQ76bEWeM6Vjrgih583.send?title=Gmail&desp=3D[TARGET -
mmbrhub.com -
signivaullt.com -
odsync.live -
oauth-api.com -
entruhub.com -
givemethedge.com -
sctapi.ftqq.com -
protectehub.com -
userpanell.com -
entgate.com
Observables (132)
identhubs.comusrkonnect.comodview.livegoogle-document.comdentialvault.comocspilots.comusergateaccess.comgitlab-ai.comprofilesetup.comsignncenter.comchinadigitaltime.netgivemethedge.comgearhelix.commmbrhub.comusercontropanel.comuseverifcation.comuzrconnect.comsignalgroup.meinterfacily.com1drv.oneneuralgiavista.comprofilesetop.comverifcredentia.comopenlabc.comauthinityapp.commercatdegirona.comsharedrive.cloudtelegra.liveuserhubz.comprofilemgr.comvonxnews.compassionateboomers.comguardaccount.comaccopanel.comcoupangrank.krmegaview.clickuserconsola.comfileprev.infoentryfortify.comodsync.livesecureagate.comakounthub.comlogifycenter.comsigncenterr.comusrcntr.comacctune.comloginnetal.comsiginpro.comconfigalign.comproflcntr.comguidefixit.comuzrcenter.comentpoinat.comcoincarp.cashloginshiled.combreachforums.fitifans.onlinepornhub-net.comlgtymp.fitlineme.livesigninacessint.compersonalsafezone.commyacceshub.comdeeporbiton.commyidsafety.comlinkshub.infouserpref.comoneclickautht.comentrnow.comevtreview.comuzrconect.comuserpanell.comsigninacesspoint.comvibshare.megnews.newsuseradjust.comivycemnp.comuserhup.combrighterora.comacespoint.comakountcenter.comlineman.liveentgate.comshowthetrick.comvoinewz.comaccountcentar.comoauth2-signal.comacesportal.comlogncntr.comhsf898.comidentihive.commlinks.infosharelinks.infoentrzone.comnovamecha.comoauth-api.comepechtimes0.orgaccntcntr.comconfiguramgr.comuseracess.comprotectehub.comcontrolprofile.comentruhub.comsyandbly.onlinefileprev.commemburcenter.comcontrohub.comsetuppanel.comicjiorg.orgbrowsernotifications.infosignivaullt.comaccpanelcenter.comtouzhele.funstartentry.comredi.inkodsync.cloudlogncenter.comfeelitnov.comyoutubenet.comuserportl.wineprofileub.comsctapi.ftqq.comglobalobject.console.info2fa.web.oauth2-signal.comepochtimes.entryfortify.coma.web.oauth2-signal.comhttps://megaview.click/pdf_to_scillahttps://sctapi.ftqq.com:443/SCT269149TJZWARwQ76bEWeM6Vjrgih583.send?title=Gmail&desp=3D[TARGEThttps://a.web.oauth2-signal.comhttps://sctapi.ftqq.com:443/SCT96188ToxRyYX7UWYhASIGRXfL7AAzv.send?title=Gmail&desp=Mozilla%2F5.0%20https://a.web.oauth2-signal.com/gm-oauth2-callbackhttps://sctapi.ftqq.com
Techniques (MITRE) (21)
-
Adversary-in-the-Middle
-
Remote Email Collection
-
Match Legitimate Resource Name or Location
-
Browser Session Hijacking
-
Input Capture
-
Steal Application Access Token
-
Masquerading
-
ARP Cache Poisoning
-
Phishing
-
Gather Victim Identity Information
-
Spearphishing Link
-
Spearphishing Attachment
-
Email Collection
-
Steal Web Session Cookie
-
Phishing for Information
-
Account Discovery
-
Spearphishing Link
-
Web Portal Capture
-
Local Account
-
Email Addresses
-
Cloud Account
Malware (2)
-
FamilyPublished 28/04/2026 07:09 · Modified 28/04/2026 07:09
-
FamilyPublished 28/04/2026 07:09 · Modified 28/04/2026 07:09
Others (128)
- Media
- NGO
- sharelinks.info
- entpoinat.com
- myidsafety.com
- userconsola.com
- dentialvault.com
- uzrconect.com
- gitlab-ai.com
- accpanelcenter.com
- coincarp.cash
- useverifcation.com
- profilesetup.com
- startentry.com
- gearhelix.com
- identhubs.com
- signalgroup.me
- logncntr.com
- controlprofile.com
- mlinks.info
- syandbly.online
- memburcenter.com
- chinadigitaltime.net
- loginnetal.com
- accountcentar.com
- usrcntr.com
- odview.live
- icjiorg.org
- akountcenter.com
- configuramgr.com
- useradjust.com
- logifycenter.com
- showthetrick.com
- guidefixit.com
- epochtimes.entryfortify.com
- entrnow.com
- oauth2-signal.com
- verifcredentia.com
- accopanel.com
- entryfortify.com
- browsernotifications.info
- setuppanel.com
- vibshare.me
- hsf898.com
- profilemgr.com
- acctune.com
- logncenter.com
- touzhele.fun
- ifans.online
- guardaccount.com
- userhup.com
- controhub.com
- acespoint.com
- megaview.click
- breachforums.fit
- myacceshub.com
- siginpro.com
- usrkonnect.com
- epechtimes0.org
- sharedrive.cloud
- lineman.live
- linkshub.info
- profileub.com
- signncenter.com
- ocspilots.com
- vonxnews.com
- acesportal.com
- userhubz.com
- identihive.com
- fileprev.com
- odsync.cloud
- 2fa.web.oauth2-signal.com
- voinewz.com
- loginshiled.com
- google-document.com
- signinacesspoint.com
- usercontropanel.com
- neuralgiavista.com
- brighterora.com
- fileprev.info
- a.web.oauth2-signal.com
- globalobject.console.info
- signcenterr.com
- interfacily.com
- uzrcenter.com
- mercatdegirona.com
- useracess.com
- openlabc.com
- signinacessint.com
- coupangrank.kr
- proflcntr.com
- youtubenet.com
- configalign.com
- 1drv.one
- akounthub.com
- pornhub-net.com
- feelitnov.com
- profilesetop.com
- authinityapp.com
- personalsafezone.com
- gnews.news
- redi.ink
- passionateboomers.com
- accntcntr.com
- usergateaccess.com
- lgtymp.fit
- uzrconnect.com
- oneclickautht.com
- evtreview.com
- novamecha.com
- userpref.com
- deeporbiton.com
- entrzone.com
- ivycemnp.com
- userportl.wine
- secureagate.com
- telegra.live
- lineme.live
- mmbrhub.com
- signivaullt.com
- odsync.live
- oauth-api.com
- entruhub.com
- givemethedge.com
- sctapi.ftqq.com
- protectehub.com
- userpanell.com
- entgate.com