Chinese Malware Delivery Websites

Malicious Browsers, Messengers, VPNs, and More…

Hundreds of newly registered domains are actively targeting Chinese-speaking users with malware. This report analyzes this activity, detailing the range of deceptive lures employed, including imitations of messengers, browsers, VPNs, email services, and Adobe software.

Details

Since at least June of 2024, a cluster of over four hundred domains have been registered to host spoofed websites to deliver malware to Chinese-speaking users. Spoofed application download websites have included web browsers, VPNs, chat and email applications, as well as crypto wallet and online gambling related apps. These websites share several commonalities in registration details, backend infrastructure, website configurations, and theme. The following is a sampling of those domains.

Identified malware families have included Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, RedLine and others.

Common registration details:

• IP ASN: Amazon, CloudFlare, Alibaba, CloudRadium
• Registrar: Dominet (HK) Limited, 22net, webcc, Gname
• Nameserver Domain: alidns[.]com, cloudflare[.]cp, hndnsv1[.]com
• IPs Resolved: 54.215.49[.]143 & 54.193.24[.]113
• SSL Duration: 90 day

Screenshot of malicious domain “chrmpw[.]top”, which spoofs as a GPT Chrome download application

Delivery Domain	chrmpw[.]top
Download URL	https[:]//chrmpw.top/download.html
Filename	GPTChromX64.exe
SHA256	29163c8afb477b27f700e1c5eac694a6cbb816a86c8eadbbbac6ba5c034a9c96
Dropped Files	443a4ce93232d56f0d1d15e6875f7eff5fc581f25df320e277608be0d1148fa1
Suspected Malware Family	Gh0stRAT

Malicious domain kuailianlow[.]com, which spoofs as Kuailian Accelerator VPN (快连加速器)

Index.html

Both Download buttons contain an onclick=”down()” function call. 

The down() function call is contained in a script within the HTML. Its purpose is to construct the file download path. To accomplish this it references a dictionary variable “window” to retrieve the value from the key “filename”. 

The “filename.js” script is imported in the HTML and contains the window[‘filename’] value.

Delivery Domain	kuailianlow[.]com
Download URL	kuailianlow[.]com/download/letspn-latest.exe
Filename	letspn-latest.exe
SHA256	1f58903b39f58568589776333d2752957c1dd1a2c5296fd2fd5343560f6be860
Contacted URLs	http[:]//47.242.127[.]63:15628
Suspected Malware	Trojan Downloader

“Where there’s one rat, there’s a nest”

Expanding the search for similar websites and domain registration patterns identifies several spoofed VPN download websites.

Commonalities include the use of a filename.js to hold the malicious filename, and coding Chinese language text as opposed to the legitimate websites displaying content based on the language settings in the client’s browser settings. The latter suggests a preference for targeting Chinese language users.

Multiple spoofed VPNs such as LetsVPN appear in online guides as popular choices for bypassing the censorship of the Great Chinese Firewall.

Delivery Domain	kipkshsa[.]top
Download URL	kipkshsa[.]top/download/letsvppn-latest.msi
Filename	letsvppn-latest.msi
SHA256	d1c9957bd55933a619d22e741fadcee6085e679e66af5cd8edbff7d9cf8fd4cf927474984e549f9d1269950e5782f755cb96f11d404a3cac56114d1e795609c5
Stage 2Download URL	https[:]//fs-im-kefu.7moor-fs1[.]com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1733466890455/3.txt
Sha256	839e314d6027977399ee486d1cadba972685550ab97467ec77ef746ffc81a4787ac5b8905c760bf38d38761efc56362799f8a40b4fe2d570f56472b83a625360
Suspected Malware	Gh0stRAT

• Possibly related: Gh0stGambit, drive-by-downloads targeting Chinese users https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat 

A similar variation employs an additional imported JavaScript file to dynamically load the page content and button download actions.

Malicious domain, letscdn[.]world, which spoofs as LetsVPN 

Excerpt from Index.html – File Download Buttons with href JavaScript function calls to onDownload()

Excerpt from Index.html – Importing “/assets/js/jquery.min.js” via script tags.

Excerpt from “/assets/js/jquery.min.js” – loads script “/assets/download/filename.js” and returns the download URL as “https[:]//” + “letscdn[.]world” + “/assets/download” + “letsvpn-latest.rar”

The value for the “window.filename” is contained in another imported JavaScript file: “/assets/download/filename.js”

Delivery Domain	letscdn[.]world
Download URL	https[:]//letscdn[.]world/assets/download/letsvpn-latest.rar
Filename	letsvpn-latest.rarletsvpn-latest.exe
SHA256	bb152e75a72aa3ae675561f308614eba6c070e55e3895bc1b67125689dc24ceec7531f022be3a5e33aa71aadcd5f0b5ae9989c7980b3a218e1e1415f6b61953d

Fake Login Pages Delivering Malware

Examples of fake login pages to deliver malware were also identified. 

The following screenshot of malicious domains “xmengapp[.]top” and “xinmeng[.]xyz”, which spoof a company called Genting Trust Union, which is purportedly an enterprise management platform for businesses to engage customers, however no apparent legitimate company by the name was identified. It is suspected that this is a fabricated company and website to lure in prospective marketing and sales teams. The website purportedly offers several service and data integrator apps for marketing purposes but in fact only delivers trojans described below. 

Included in the website’s imported JavaScript files is “/assets/js/ebzcecf9.js”, which contain login credentials for the website.

Logging into the application would load the following landing page:

Notably, the top bar “cloudtop” is a download button for a suspected malicious file but returns a 404.

The main section (right) is a range of services and tools related to online marketing and lead generation such as driving traffic to websites, automating tasks, managing multiple accounts, managing phone numbers for telemarketing, integrating proxies, overseas payments, AI tools for content creation and the like. 

The left panel contains a page link for “User Management”.

Clicking the blue “Click verification” button shown in the screen capture above opens a pop up alert with the following message

“Detected that the bundled plugin is not installed. Please install and retry.”

Clicking “OK”, opens a download prompt for the following .msi file. The msi file is bundled with multiple files including those that AV scanners tag as Gh0stRAT and Farfli trojans. A possible C2 was identified as “134.122.135[.]95”, which is a suspected ValleyRAT C2.

Filename	GoogleAuthPc_Installer.msi
SHA256	9ba254138f5e79354334a0deb48e38d04fa3754ac43b4a2adc388f81705ef044c7ba88724118bacaad78ff46794b6d2ebb7f1c55753d95249f6bcd0c49a8cd74
ValleyRAT C2	134.122.135[.]95:4443

Associated malware, activity and methodologies appear to overlap closely with reporting by Knownsec 404 team and Fortinet of a suspected APT activity named “Silver Fox”.

Compendium of Chinese Malware Delivery Domains

The following are all examples of the spoofed websites for delivering malware utilized in this cluster of activity from at least June 2024 to January 2025. Example malware delivery domains and their respective malware download URLs and SHA256 hashes are provided as available for each example below. This listing is non-exhaustive of the variety of spoofed websites for delivering malware. 

Spoofs as QuickQ, a network accelerator and encrypted traffic tool. quickqi[.]net quickiq[.]top quickqi[.]net/assets/download/quicqk66.12.msi quickiq[.]top/assets/download/win32-quicq.msi 1a793de251bffb1edc309aa0b7fd02354c7c99d3cb1f24b3e0140d2015dc49a fe1b5431ae27c85b1c652e3ac9541c2a801540c02c04fa7f4a3a9543c284eca5
Spoofs as WhiteWhale VPN (白鲸加速器) isdndjsq[.]top isdndjsq[.]top/assets/download/win32-quicq.msi fe1b5431ae27c85b1c652e3ac9541c2a801540c02c04fa7f4a3a9543c284eca5
Spoofs as Yiwaiwai Customer Service Chat Assistant download purportedly for Chrome, QQ, WeChat, Quanniu, Pinduoduo, Doudian, and others. eyy5201[.]top https[:]//eyy5201[.]top/static/download/yiwaiwai66.31.msi fe86e1fff0afefd79de4fd26f041757495c5fadd116400699411a200978f0e41
Spoof as Lets VPN download sites letsvpn-ui[.]top kingtelmfng[.]top https[:]//letsvpn-ui[.]top/assets/download/letsvpn-latest.exe e09056567f146da73aa0c4266a15cd61655e4402146b75a836d1c92926cd37c4
Screenshot of malicious domain “z42f1m[.]top”, which spoofs as a Microsoft login page for Outlook but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Screenshot of malicious domain “vejm60[.]top”, which spoofs as a Google mail login page but delivers the same malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46 a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796 Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Screenshot of malicious domain “vzvlco[.]top”, which spoofs as a QQ mail login page but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Screenshot of malicious domain “taufp6[.]top”, which spoofs as a 163 mail login page but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Spoofs as AnyDesk remote desktop application. andesksr[.]com https[:]//andesksr[.]com/assets/download/anydeskx64-32.3.0.zip
Spoofs as Yiji Pay, a financial payment application. yijfu[.]com https[:]//yijfu[.]com/assets/download/PassGuardSetuhz.exe
Spoof of iTools for Windows, a tool used for managing Apple mobile devices. i4z[.]xyz
Spoof of Huorong Internet Security website. Download links spoof as personal and enterprise security applications. huurongs[.]top huoroug[.]top
Spoofs as a game download link for QQ.  qqsgs[.]com
Spoofs as Google Chrome download site. oogiie[.]top
Spoofs as Youdao Dictionary software, a dictionary for translating text between Chinese and English and other languages. yoodaou[.]xyz https[:]//yoodaou[.]xyz/assets/download/QuarkUpdaterSetup_fuzz_1.rar 1a48a730cdd4982a5ac0b44984d70253eab9ea070285d9fc2124c83270576cf4f8c117a65e11fd370cb0673d1066af3415dfd9c8fde98225498f6e4ac92c213e
Spoofs as ToDesk remote desktop software. todeskzis[.]xyz https[:]//todeskzis[.]xyz/assets/download/ToDesk (2).zip 215872ff03e4a9d0baf12643b94d8cb60a5dba86153fa05148bd52344567e030d5b9d07f1aa0bf738521db66439d448913da86420f2c2a0753e35ba6b63a393a
Spoofs as ToDesk remote desktop software. todeskeq[.]top https[:]//0h6ai2g7.oss-ap-southeast-1.aliyuncs[.]com/ToDesk_Setup.zip (is a .rar file) 134cba7e74c243b3f58535fd224f14a637445e176a5017a8d2938f357a88e9cb3823cc7228d7d8f75f007a4eafc0e4f4f1789ce26a6e1ca15c5045e17810396d Retrieves: https[:]//ws636rj.oss-ap-southeast-1.aliyuncs[.]com/encrypted_shellcode.bin
Spoof of WuYou, a service for receiving verification codes such as SMS and online platforms.  wuyoujieee[.]com
oracl[.]top
Spoofs as Skype teleconference application download. skyes1[.]top
Spoof of Youdao, a translation App. yoadao[.]xyz
Gaming platform. 163i[.]tophttps[:]//mumu.163i[.]top/assets/download/Mumu模拟器.zip
Android Emulator to run from Windows Machine – purportedly to play simulate mobile games on desktop. lediam[.]xyz https[:]//d9gc24pw.oss-ap-southeast-1.aliyuncs[.]com/%E9%9B%B7%E7%94%B5%E6%A8%A1%E6%8B%9F%E5%99%A8.zip ffe3be504d0a89ace9271a6a1fc51f6b0539903a10b1bf89285875606852ba65
clashcn[.]xyz
“QC7 goes overseas to navigate global social traffic” “Accurate overseas customer acquisition starts with filtering number data” “Overseas account screening platform” 007z[.]top https[:]//007z[.]top/assets/download/007-Setup.exe e34fd0f5fbc5f09f55ccdf2e6a5f70215c8686f9c83c45f421ac2a475d8bfd47
Spoof of Yuanqi, a website and app providing anime wallpapers without watermarks. yqdesk[.]top
Spoof of KARIOS, which purports to be a “SMS Provider” such as sending text messages. karlosqp[.]xyz
Spoofs as an unnamed merchant backend login page. Clicking login results in a popup with a “please install” link for a malicious file spoofing as a cryptokit_sando. Clicking OK directs to /update page with a banner to download the same file. This time spoofing as a Flashplayer update link. shanghud[.]com https[:]//shanghud[.]com/assets/download/k3.2.6.0升级组件.exe 65049df06de78a4fda14d5f07d83eef1b316c0dea0ecfc3dbec7e5e1b7b20754
T Star Diamond Payment-Merchant Backstage. Spoofs as a login page. Clicking the login button downloads Gh0stRAT malware. xingzuan[.]xyz https[:]//xingzuan[.]xyz/assets/download/xingzuansetupg5.exe 5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a Downloads additional files from: https[:]//wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud[.]com
Spoofs as Dex Screener, a cryptocurrency website. Clicking any buttons initiates a popup with download link spoofing as a Flashplayer update. It contains samples of Gh0stRAT and Blackmoon malware. dexscreeners[.]icu https[:]//aaa8999.oss-us-west-1.aliyuncs[.]com/Flash_x32.zip 86f8239224a0ace2b1e0a2216511b0a0aea1bf055f7cbeca2fcf9c316f3de921
Spoofs as popular Line messenger application. iines[.]xyz
Spoofs of DeepL Pro, a machine translation company. The service purports to emphasize data security with end-to-end encryption and automatic deletion of translated text.  deepil[.]top
Spoofs of DeepL Pro, a machine translation company. The service purports to emphasize data security with end-to-end encryption and automatic deletion of translated text. deeplx[.]top
Spoofs as 2345 Image King, software for viewing images.   2345ktws[.]xyz
Spoofs as Quark, AI. An AI-powered assistant application. quarki[.]top
Spoofs as a cryptocurrency exchange. chachap[.]top https[:]//0l1hsqvd.oss-ap-southeast-1.aliyuncs[.]com/uCheckerInst.zip
Spoofs as 360 browser, a web browser developed by the Chinese internet security company, Qihoo 360. 360browsap[.]top
Spoofs as a mobile and web game site. ttcy365[.]com
Spoofs as Sunflower Remote Control Software, which purports to allow remote access to other computers, file transfer, and remote assistance. orays[.]top
A banner displayed warning of malicious activity spoofing their brand but is in fact also a spoof. baofuupay[.]com https[:]//baofuupay[.]com/assets/download/setup.exe 2901ca8eefd1d431d25f3d45dbf42dc48136b74692801ca0f6b606541d645baf
Spoofs as Enigma Messenger App, an end-to-end encrypted chat app. immersivetranslate[.]top
Spoofs as a cryptocurrency exchange app. tradingview[.]trade
Spoofs Signal messaging application, an end-to-end encrypted chat app.  signall[.]xyz
Spoofs Signal messaging application, an end-to-end encrypted chat app. signel[.]top
Spoofs as AdsPower app, an anti-detect browser for managing multiple online accounts. adspowerr[.]top
Spoofs as 360 Security Guard – Software Manager to download iTools app. iTools is used for managing Apple mobile devices. i4app[.]top
Spoofs as FireFox browser download. firefoxz[.]top
Spoofs of LianLian Pay application. lianlianpoy[.]com
Spoofs as a financial payments management website. shengfuton[.]com
Spoofs as a music streaming app. wymusic[.]top
Spoofs as Snipaste, a screenshot and screen recording tool. snipaste[.]top
Spoofs as Aurora PDF, a service for creating, editing and viewing PDF files.  jiguang[.]icu
Spoofs as Steam, a popular digital distribution platform for video games. steams[.]top
Spoofs as 163 VPN built by NetEase, a Chinese tech company. 163 VPN is primarily designed for users within China to access websites blocked by the Great Firewall of China.  163e[.]top
Spoofs of Gmail Login Page.  qmails[.]top
Spoof of Telegram messenger application. telegrinxkam[.]top https[:]//telegrinxkam[.]top/assets/download/Ttsetuphdmgj.exe d219a6056e1f65507c984475711bd7e674b1319d11fd7a1149f3da983fd4f7c8
Spoof of Telegram messenger application. telegrcm[.]ing teiegram[.]ing
Spoofs as SaleSmartly, a customer communication platform. salesmart[.]top https[:]//wien.oss-ap-southeast-1.aliyuncs[.]com/win7-salesmartly.zip
Spoofs of Google Play store to download a malicious application. goople[.]top
Spoofs of Telegram messaging application. telegrpcm[.]xyz

Conclusion

The spoofed malware delivery websites sampled in this report all share commonalities in configuration, domain registration patterns, and a suspected intent to target Chinese-speaking users. Indications suggest a broader target audience of Chinese language speakers outside of China including Malaysia and Hong Kong. 

The majority of the malware identified being delivered by the spoofed websites were stealers and trojans with capabilities to steal credentials and provide remote access to compromised systems. All malware identified were intended for Windows operating systems. Among them were multiple samples AV vendors assessed to be Gh0stRAT, Lummanstealer, RedLine, Farfli and ValleyRAT. Of which, C2s were also identified as associated with ValleyRAT. 

The activity and infrastructure of this cluster suggests a strong overlap with previously reported APT group SilverFox. Similarities include the spoofed websites, a focus on targeting Chinese-language speakers, and the use of ValleyRAT. Additionally, the overall volume, variety, and duration of the activity involved aligns with previous reports of SilverFox and suggests an organized and professional enterprise such as a commercial hack-for-hire or nation state sponsored contract. 

While spoofing websites to deliver malware is nothing new, the sustained volume and consistency speaks to a larger systematic approach to target a specific demographic with an apparent intent on gaining access to Windows devices likely to initially steal credentials and provide continued access for follow-on engagements. In the past, speculation around similar campaigns involved acting as access brokers to sell to government organizations or other criminal groups. Another possibility may be the collateral targeting of a population to opportunistically compromise high-value targets. In other words, indiscriminate compromises until they strike gold on gaining access to, for example, a corporation’s system or credentials.

IOCs

Type	Value	Descriptor
Sample 1
Domain	kipkshsa[.]top	Lure Website
URL	kipkshsa[.]top/download/letsvppn-latest.msi	Download URL
Filename	letsvppn-latest.msi
SHA256	d1c9957bd55933a619d22e741fadcee6085e679e66af5cd8edbff7d9cf8fd4cf	Stage 1
Filename	QQQQ.exe
SHA256	927474984e549f9d1269950e5782f755cb96f11d404a3cac56114d1e795609c5	Stage 2 Downloader
URL	https[:]//fs-im-kefu.7moor-fs1[.]com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1733466890455/3.txt	Stage 2 Download URL
Filename	3.txt
SHA256	839e314d6027977399ee486d1cadba972685550ab97467ec77ef746ffc81a478	Stage 2 Dropper
SHA256	7ac5b8905c760bf38d38761efc56362799f8a40b4fe2d570f56472b83a625360	Stage 2 Trojan: Gh0stRAT
Sample 2
Domain	opjs[.]club	Lure Website
URL	https[:]//ni1kpuro.oss-ap-southeast-1.aliyuncs[.]com/QuickQ.zip	Download URL
Filename	QuickQ.zip
Filename	QuickQ.msi
SHA256	7aa498dc87e734e306f850082fad723ca7c05ef2f0a84c5232111eb3e86156fc
SHA256	adb6afadbd9f31a2c6548b6e3c6378a7164a3604c04332e48a409c16faf4f598	Spyware: Chinad / FlyStudio
Sample 3
Domain	kuailiani[.]net	Lure Website
URL	kuailiani[.]net/download/kuailian64.52.msi	Download URL
Filename	kuailian64.52.msi
SHA256	d75a2b9d03aab50d9f3eb6afbde06034adec7a183dfcaf090ce78e4cd7a59117
Filename	AICustAct.dll
SHA256	ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2	RedLine / LummaStealer
Sample 4
Domain	quiirkq[.]club	Lure Website
URL	https[:]//caiyun1688.oss-cn-shenzhen.aliyuncs[.]com/QuickQ-18.zip	Download URL
Filename	QuickQ-18.zip
Sample 5
Domain	mctuqqe4z.top	Lure Website
URL	mctuqqe4z[.]top/qucke1.2_快客.zip	Download URL
Filename	qucke1.2_快客.zip
Filename	qucke1.2_快客.exe
SHA256	5283873308336ae1011ebfe1d057621413b7d528340e45d76359850d5589e662
SHA256	e15a6646d20b4aa486f06fa81a1af55be0bd99dbff85cbd7a7a29d15ad73a693
Filename	win32-67-quickq.exe
SHA256	e5205e1964b63ce14c85dd2c1ff6cdb06b3b1d323ccdbe0b2d6368a88dfe8f70	Trojan
Sample 6
Domain	quickqi[.]net	Lure Website
URL	quickqi[.]net/assets/download/quicqk66.12.msi	Download URL
Filename	quicqk66.12.msi
SHA256	1a793de251bffb1edc309aa0b7fd02354c7c99d3cb1f24b3e0140d2015dc49a
Sample 7
Domain	quickiq[.]top	Lure Website
URL	quickiq[.]top/assets/download/win32-quicq.msi	Download URL
Domain	isdndjsq[.]top	Lure Website
URL	isdndjsq[.]top/assets/download/win32-quicq.msi	Download URL
Filename	win32-quicq.msi
SHA256	fe1b5431ae27c85b1c652e3ac9541c2a801540c02c04fa7f4a3a9543c284eca5	Trojan Downloader
Sample 9
Domain	letscdn[.]world	Lure Website
URL	https[:]//letscdn[.]world/assets/download/letsvpn-latest.rar	Download URL
Filename	letsvpn-latest.rar
Filename	letsvpn-latest.exe
SHA256	bb152e75a72aa3ae675561f308614eba6c070e55e3895bc1b67125689dc24cee
SHA256	c7531f022be3a5e33aa71aadcd5f0b5ae9989c7980b3a218e1e1415f6b61953d	Trojan
Sample 10
Domain	telegrinxkam[.]top	Lure Website
URL	https[:]//telegrinxkam[.]top/assets/download/Ttsetuphdmgj.exe	Download URL
Filename	Ttsetuphdmgj.exe
SHA256	d219a6056e1f65507c984475711bd7e674b1319d11fd7a1149f3da983fd4f7c8
SHA256	f309c2c4847a5c888a580a2b154dfa1168016a9c3a335890f1b9e201819857e3	trojan: vmprotected
Sample 11
Domain	eyy5201[.]top	Lure Website
URL	https[:]//eyy5201[.]top/static/download/yiwaiwai66.31.msi	Download URL
Filename	yiwaiwai66.31.msi
SHA256	fe86e1fff0afefd79de4fd26f041757495c5fadd116400699411a200978f0e41	Trojan
Sample 12
Domain	letsvpn-ui[.]top	Lure Website
Domain	kingtelmfng[.]top	Lure Website
URL	https[:]//letsvpn-ui[.]top/assets/download/letsvpn-latest.exe	Download URL
Filename	letsvpn-latest.exe
Filename	letsvpn-latesa.msi
SHA256	e09056567f146da73aa0c4266a15cd61655e4402146b75a836d1c92926cd37c4	Trojan
Sample 13
Domain	chrmpw[.]top	Lure Website
URL	https[:]//chrmpw.top/download.html	Download URL
Filename	GPTChromX64.exe
SHA256	29163c8afb477b27f700e1c5eac694a6cbb816a86c8eadbbbac6ba5c034a9c96	Stage 1 Loader
SHA256	443a4ce93232d56f0d1d15e6875f7eff5fc581f25df320e277608be0d1148fa1	Stage 2 Trojan: Gh0stRAT
Sample 14
Domain	z42f1m[.]top	Lure Website
Domain	vejm60[.]top	Lure Website
Domain	vzvlco[.]top	Lure Website
Domain	taufp6[.]top	Lure Website
URL	https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip	Download URL
Filename	fah-0.zip
Filename	fah-0.msi
SHA256	73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46
SHA256	a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796
SHA256	ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2	LummaStealer
Sample 15
Domain	qwapmuuq[.]com	Lure Website
Domain	fsquhgne[.]com	Lure Website
Domain	rtuoxxsr[.]com	Lure Website
Domain	fzqecfyi[.]com	Lure Website
Domain	modbydto[.]com	Lure Website
Domain	szyyotmp[.]com	Lure Website
Domain	vltlpung[.]com	Lure Website
Domain	twyudoft[.]com	Lure Website
URL	https[:]//quiiqq[.]com/win32-quickq.zip	Download URL
Filename	win32-quickq.zip
Filename	win32-quickq.exe
SHA256	005bdfdde6a0d0718ac60bcc7071bd87d0ac869308cf8dd7ed8afa7478709ba9
SHA256	11254884edbc797e36d84b8305e63f2f8d1e3289fcb289a0be5b3b2d663055e
Sample 16
Domain	quickq[.]fit	Lure Website
URL	http[:]//quickq[.]fit/sdk/win32-quickq.exe	Download URL
URL	https[:]//setupx64.oss-cn-hongkong.aliyuncs[.]com/QuickSetup.msi	Download URL
Filename	win32-quickq.exe
Filename	QuickSetup.msi
SHA256	bfb90dfe0d6b4342489c4e8aa9c5ef803e462e0b451cb9ad016f2afba39fedf9	Trojan
Filename	AICustAct.dll
SHA256	ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2	RedLine / LummaStealer

Suspected Malware Delivery Domains:

007z[.]top 1633[.]site 163e[.]top 163i[.]top 16cilz[.]xyz 1o2mp[.]cyou 2345kantup[.]xyz 2345kingtuwang[.]com 2345ktws[.]xyz 360browsap[.]top 360z[.]fit 6h4s3s[.]top 70ka[.]club a1shung[.]club adober[.]club adspowerr[.]top aisbb[.]cyou andesksr[.]com anydeisk[.]top anydesik[.]com anydesik[.]top anydesikq[.]top anydeskcn[.]top anydeskq[.]online anydeslk[.]top avez[.]top avre[.]work baidu-a[.]cyou baidu-a[.]top baili888[.]club bananagun[.]fit bananagunn[.]cyou bananaguns[.]club baofupay[.]top baofuupay[.]com bitbrowcer[.]xyz bitbrowsec[.]top bitbrowseq[.]top bitbrowsers[.]work bitbrowsez[.]top bitbrowsri[.]top bitbrowszer[.]top bitbrwoser[.]fit bitbrwoser[.]top bitbrwwser[.]top bitpiez[.]club bitteroser[.]top b-jipay[.]com b-jlpay[.]top bmgsn6[.]top bntbrowcer[.]xyz bpss5vp[.]top browseri[.]vip btbrowserq[.]top btxueo[.]top cgpay[.]vip chachap[.]top chme1[.]xyz chmole[.]club chrmpw[.]top chromexn[.]com clashcn[.]club clashcn[.]top clashcn[.]xyz cnacn3[.]top comprz[.]top cpgpay[.]site crlg1wm[.]com cs-quickq[.]com deepil[.]top deepli[.]top deepll[.]top deepll[.]xyz deeplti[.]xyz deeplx[.]top dexscreener[.]fit dexscreeners[.]icu dezscreener[.]work dfapp188[.]world domain easytran[.]top ecprss[.]com eiyy[.]top enigmar[.]fit eniigme[.]club eu0af6[.]club eyy350[.]top eyyqp[.]top eyys[.]xyz eyysi[.]top eyysm[.]com eyyz[.]top f3jb5x[.]top fckjo9[.]club firefoxz[.]top flashproxy[.]cc freetalk[.]online g2ks0z[.]com g465cn[.]com gckgmwc1[.]top gmaib[.]top gmgmai[.]club gmgmai[.]work goe[.]icu googleseso[.]top googlez[.]top googlre1[.]top goople[.]top gotonesms[.]xyz gotonesn[.]top heepayx[.]xyz hellowordx[.]club hellowordx[.]fit hellowordz[.]top helloworldcz[.]xyz helloworldw[.]site helloworldw[.]top helloworldz[.]top helloworlids[.]top hgb4hxl070[.]com huifub[.]club huionepay[.]vip huorong[.]online huorong[.]site huorong[.]work huoroug[.]top huorrong[.]xyz huoswe[.]top huurongs[.]top hvr3ez[.]work i4app[.]top i4b6[.]club i4sa[.]xyz i4sapp[.]top i4sp[.]top i4toos[.]life i4z[.]xyz ibzeha[.]vip iilne[.]fit iilne[.]top iines[.]xyz ilren[.]top imbken[.]club immersivetranslate[.]top Inspect2 Guided Pivots interhclp[.]com isdndjsq[.]top j6ahar4i[.]top jdad7q[.]work jiguang[.]icu kantu2345[.]club karlospt[.]top karlosqp[.]xyz karlost[.]club keuailian[.]top kingtelmfng[.]top kipkshsa[.]top klxiazopai[.]com kuaiiam[.]fit kuaiilianoo[.]icu kuaiiyian[.]com kuai-lian[.]xyz kuailian0[.]com kuailian8[.]com kuailiani[.]net kuailianlow[.]com kuailiant[.]com kuailianz[.]com kuailiien[.]xyz kuailijen[.]xyz kuailim[.]buzz kuailxian[.]com kuaizip[.]top kualien[.]xyz kueliien[.]xyz kuellien[.]xyz kwgiz1[.]club lanlevp[.]top lediam[.]xyz letrscp[.]fit lets-alyays-connect[.]com letsbutr[.]com letscdn[.]world letscgn[.]top letscqn[.]top letskuail[.]icu letspcm[.]top letspcn[.]icu letspcn[.]xyz letspqc[.]top letspqw[.]fit letspw[.]top letsqpr[.]top letsqpw[.]club letsqpz[.]club letsqqp[.]club letsrpm[.]top letsrqn[.]top letsvpn-ui[.]top letsvqm[.]xyz letsvqr[.]xyz letwvpn[.]com lianlianpoy[.]com liien[.]top liine[.]fit liine[.]work llnes[.]world lltslian[.]life loubom[.]club lttslian[.]xyz luoboo[.]online m7neqzz[.]fit mavishub[.]xyz mctuqqe4z[.]top me18qiyg[.]xyz meipai[.]work meiqias[.]xyz mesenger[.]club messengers[.]work messengerz[.]club mexiko[.]cn mi163[.]top miitu[.]top miluvpn[.]com mwai1[.]xyz nexchattc[.]cc nn3cotp[.]top nsmnst[.]club officeim[.]club oggie[.]club oggie[.]fit oggie[.]top oggiechr[.]work ogglchomr[.]top oggle[.]club oggle[.]top oggle[.]xyz oggles[.]xyz ogglesr[.]top oiggle[.]club okyi[.]work oogchrm[.]club ooggie[.]top ooggie[.]xyz ooggle[.]top ooggles[.]top oogglez[.]top oogglez[.]xyz oogie[.]club oogie[.]fit oogiel[.]top oogiew[.]work oogiie[.]top oogles[.]top ooglex[.]top ooglex[.]xyz ooglie[.]xyz ooglz[.]top ooglze[.]fit ooigle[.]xyz oolqow[.]top opjs[.]club oracl[.]top orayi[.]world orays[.]top orey[.]online oreyr[.]work oreyz[.]top ouggle[.]fit paga1io[.]top paopaom[.]online paydocs8[.]com pgaab[.]icu pht0j[.]cyou potatocn[.]xyz pppicd[.]icu pqqle[.]club q0nmsl[.]fit qeaick[.]buzz qmail[.]work qmails[.]top qqgj[.]online qqis[.]work qqsgs[.]com quarki[.]top quicka[.]top quickiq[.]top quickq0101[.]cyou quickq2[.]cc quickqgf[.]com quickqgf[.]net quickqgw[.]com quickqgw[.]net quickqi[.]net quickqi[.]top quickqza[.]icu quickqzc[.]top quickxq[.]xyz quiicka[.]xyz quiickqz[.]top quiirkq[.]club quirkq[.]work qwf123[.]cyou rggmo7j[.]club salesmart[.]top sanderpay[.]top sandipay[.]top sandlpay[.]top sandpray[.]top shandpay[.]top shandpey[.]world shanghud[.]com shengfuton[.]com shimoc[.]club signall[.]xyz signel[.]top skyes1[.]top slqdgo[.]club sms-activation[.]club smsactive[.]top smsnet[.]top snapcheat[.]club snipaste[.]top soogoo[.]icu soogou[.]store sougoo[.]site sougous[.]top sougous[.]xyz soulgou[.]club steams[.]top sublitmext[.]xyz subllmatxt[.]top surrl9oa[.]top t0v0hlp[.]top taufp6[.]top teamviewers[.]club teiegram[.]ing telagrmaxjsq[.]top teleagrmone[.]top teleepcrme[.]work teleeqcrme[.]top telegcvme[.]fit telegczem[.]club telegramn[.]vip telegrcm[.]ing telegrimz[.]club telegrinxkam[.]top telegrpcm[.]xyz teleigpcm[.]club teleigpcm[.]vip telepcem[.]club telepcems[.]fit telepeqrm[.]fit telepqrm[.]work teleprzm[.]fit telepwam[.]club teleqcam[.]club teleqcrmn[.]club teleqcrmn[.]fit teleqercm[.]work teleqpczm[.]club tgsheng[.]top tittia[.]top tletsvpn[.]xyz todaskek[.]xyz todaski[.]club todesik[.]top todeskc[.]top todeskei[.]xyz todeskeq[.]top todeskiz[.]club todeskze[.]top todeskzis[.]xyz tradingview[.]trade ttcy365[.]com ui4[.]club uletsvpn[.]xyz upcupe[.]xyz uphot[.]net uq7djw[.]xyz utuncloud[.]world vb0ep[.]club vejm60[.]top viber[.]cc viber[.]cyou viberi[.]xyz vibers[.]site vibers[.]top vibers[.]work villa[.]yiluying[.]com visvpn[.]cyou vletsvpn[.]xyz vzvlco[.]top wangr[.]club wangwangtalk[.]club wgoole[.]fit whapps[.]club whapps[.]fit whapps[.]work whatsacppy[.]club whhapps[.]club whhapps[.]fit whtpps[.]club whtpps[.]fit whtpps[.]work whtsaps[.]club whtsaps[.]fit whtsaps[.]vip whtsaps[.]work wiinrar[.]top winrarsz[.]top winzips[.]work wipses[.]fit wletsvpn[.]xyz wppsi[.]top wpsco[.]xyz wpsei[.]com wpsie[.]top wpsim[.]top wpsio[.]top wpsiz[.]xyz wpsla[.]site wpsma[.]top wpsqm[.]com wpsqr[.]xyz wpsqx[.]top wpsrc[.]top wpsrc[.]work wpsrs[.]xyz wpss[.]xyz wpssq[.]top wpsxi[.]club wpsxm[.]xyz wpsxz[.]xyz wpsyz[.]top wpszm[.]top wudps[.]xyz wuyoujieee[.]com wymusic[.]fit wymusic[.]top xiaohuojians[.]top ximmlang[.]club xingqiiu[.]club xingzuan[.]club xingzuan[.]fit xingzuan[.]online xingzuan[.]xyz xinlang[.]work xinmeng[.]xyz xinzuan[.]top xmengapp[.]top xxyy[.]work xzpay[.]work yiiji[.]xyz yiijifu[.]com yijfu[.]com yoadao[.]xyz yodaou[.]top yoodao[.]fit yoodaoi[.]club yoodaou[.]xyz yoodau[.]top yoodau[.]xyz yoodou[.]top youdaoie[.]top youdaox[.]top youdaoz[.]top youdoau[.]top youdoo[.]top youdou[.]xyz yqdesk[.]top yuanq[.]top yuduba[.]xyz z42f1m[.]top zhekou838[.]cn ziniao[.]fit zoomi[.]fit