This report dives deeper into activity relating to the previously reported cluster of Chinese Malware Delivery domains. Spoofed download websites of many common applications were observed collecting user information and delivering malware to Chinese speaking users.

Details

This report examines a second cluster of over 1100 domains suspected to have been registered by the same group between April 2024 to January 2025.

Cluster 1: The previously reported Chinese Malware Delivery domains appeared dedicated to malware delivery with minimal dynamic content or obfuscation employed. Primarily delivers Windows backdoors and info stealers. Minimal variability in HTML and JavaScript code.

Cluster 2: Suspected to be broadly focused on user data collection and selective malware delivery. Websites employ highly variable and obfuscated JavaScript files and multiple web analytic services. Purport to host binaries for Windows, macOS, iOS, and Android operating systems.

Spoofed Websites

Very similar to Cluster 1, Cluster 2 involves spoofs of many common applications from messenger apps, VPNs, cryptocurrency exchanges, gaming platforms, game emulators, online gambling, web browsers, and multimedia apps.

‍

Domain Registration Details

The majority of the domains identified had common domain registration details:

• Registrar: WebNIC Support
• Server Type: Nginx, Cloudflare, Golfe2
• Nameserver Domains: hndnsv1[.]com, hndnsv2[.]com
• SSL Duration: 90 days

‍

‍

The following heatmap shows the domain registration UTC timestamps for over 1000 domains from April 2024 to January 2025. The horizontal lines show the majority of the registrations occurred during the approximate working times 8 AM to 5 PM for China Time Zone and US East for comparison.

Domain registration times are not strong indicators of location as registrations can be done programmatically at any time. A heatmap of the registrations over time could be used to draw inferences on the normal operating times, volume and fluctuations of a threat group. One inference is that the actor commonly registers domains in bulk of 10 to 20 domains. Another is domain registrations continued steadily through recent US holidays of Thanksgiving, Christmas and New Years but made no new domain registrations from January 23 to February 8. The gap in domain registrations approximates to a week prior to and through Chinese New Year celebrations (January 29th - February 4th).

Based on a sampling of the 1200+ actor domains for domain registration costs, the cheapest registrations ranged from approximately $5 to $11 USD. Estimates based on these approximations suggest the actor may have spent over $6,000 in the past 10 months on domain registrations alone.

User Data Collection

Spoofed download websites were observed importing highly obfuscated JavaScript files. Their primary purpose appears to be to collect user data. Data is sent to one or more web analytic services. Primarily using Google Tag Manager (GTM), 51.LA and Baidu. A possible reason for using both a Chinese site analytics tracker and non-Chinese site analytic services is to improve data collection from users in and outside of China.

Typical data observed being collected:

Data collected include the following information about users in addition to setting cookies to potentially allow the tracking of users more long-term tracking across different websites.

• IP addresses.
• Browser type and version.
• Operating system.
• Screen resolution.
• Referring website.
• Pages visited and time spent on each page.
• Geographic location (based on IP address).

Some websites were observed loading a js-sdk-recorder.min.js file and may attempt to screen record the browser session.

User browser data is collected and checks are performed to include looking for specific browser types and operating system.

The following are trackers extracted from the spoofed download sites and are suspected to be associated with the actor.

‍

SEO Poisoning and Traffic Generation

Creating thousands of websites and using SEO tactics could be aimed at increasing the site’s search ranking to appear higher in search results than legitimate sources. This can drive traffic to other malicious sites.

Fake Login Dashboards to Deliver Malware

The actor employs several websites themed as merchant backend management dashboards, payment services, crypto exchanges, email, and office applications. It is suspected that links to the fake login sites are distributed via phishing and similar means with the credentials shared to recipients. A mix of English and Chinese language use on the fake login websites and a common theme of merchant and payment backend management applications suggests the actor may be targeting English speaking individuals doing business in China.

Website Title: “Login | Upcube - Admin & Dashboard Template”

UPCUBE 商户后台管理 (“Merchant backend management”)

The sites were observed hard coding the credential validation checks in the HTML login forms such as the following example seen from malicious domain: “otpaycn[.]com”.

Upon Logging into the fake Merchant Backend Dashboard, the following index page is loaded. 

The only functional element is the Home Page at the top of the left panel. Clicking the Home Page loads an image in the center of the page that presents itself as a warning banner with a “Confirm” button. Clicking anywhere on the image initiates a download for a malicious dropper file that upon execution runs ValleyRAT on the system and downloads several modules from an Amazon S3 bucket providing additional functionality.

The image roughly translates to the following:

“VPN Usage Reminder Network connection failed, please use the dedicated network VPN It has been detected that your browser is missing the necessary VPN plug-in. Some functions cannot be used normally. Please update this function version first; if you choose to stop updating, you will not be able to use this function normally. What are the risks and how should I choose Confirm.”

‍

Malware

Notably, both clusters 1 and 2 were observed delivering identical Gh0stRAT and ValleyRAT binaries. Cluster 2 operates multiple varieties of spoofed website code, which often appear to utilize highly obfuscated JavaScript to collect user information and potentially selectively render functional malware delivery links. The majority of the websites were observed delivering 0-byte files, and less commonly copies of legitimate install files hosted locally on the site. A subset of the spoofed download sites were observed hosting identical Gh0stRat and ValleyRAT binaries as cluster 1 including “googleochrome[.]com” discussed in more depth later.

The 0-byte files are suspected to be placeholders, with real malware being delivered through obfuscated JavaScript dynamically loaded when certain user conditions are identified such as Geo IP location, language settings and browser type.

Earlier versions of the spoofed download sites appeared to typically host malware locally on the same spoofed website server. Later spoofed download sites began hosting files on other servers, commonly using other actor owned domains and often with subdomains “cnd.” or “down.”

More recent spoofed download sites continue to separate the spoofed websites from the hosted files by using Amazon’s CloudFront content delivery network such as the following: 

• Spoofed download sites for Lets VPN: “letscavpn[.]com” & “letsekvpn[.]com”
• Download URL: “https[:]//d2g2a3g6fn6aza.cloudfront[.]net/android/letsvpn-latest[.]apk”

Using CDNs such as CloudFront as a delivery network can obscure the true origin location of the malware and make detection and mitigation efforts more difficult. 

C2 Infrastructure

Identified multiple samples of suspected Gh0stRat backdoors being hosted from the spoofed download websites as having Command & Control (C2) to IP addresses. Multiple IP addresses shared the same server scan hash allowing a potential pivot to other IP addresses configured by the actor.

Malware delivery domain “googleochrome[.]com” spoofs as a Chrome browser download site and contains code to load content from a similarly named but different domain: “https[:]//down.googluchrome[.]com”

This initiates a file download for a file named “/Chrome.zip” with a SHA256 hash of “09efbe0c3e69c0f9a578bbbf0d475bd418497717921713779d1aa89dd2be35d6” 

Chrome.zip unzips a file named “Chrome.msi” with a SHA256 hash of “e39e44cb79c5b1918d8139cfbb6d2ada044dbe4b413e86504f10e902072743fd”

Chrome.msi contains a file named “payload”, 522863520bcc368631a2db5016a1af68f60ecb074ddf19c9e7bff9834bb05248

The payload file upon execution calls out to the following IP:

• TCP 154.91.90[.]102:4433
• TCP 154.91.90[.]102:10443

At the time of observed use, the IP hosted a WinRM service with a Shodan.io hash of “%3A897366806”. 145 IPs shared this hash and nearly all are under Tcloudnet, Inc organization. 

Triaging the IPs identified several have a recent history of malicious files communicating with them from similar variants.

Conclusion

A crucial aspect of this investigation lies in recognizing the broader implications of the observed tactics. History has repeatedly demonstrated that techniques initially deployed against one demographic or vertical are often adapted and repurposed to target others. While this campaign appears to currently focus on Chinese-speaking users, the sophisticated methods employed—including obfuscated JavaScript, strategic use of analytics services, and evolving infrastructure for malware delivery and data collection—represent a readily transferable playbook. Therefore, diligent monitoring and analysis of these tactics are not merely relevant to the current situation.

By proactively studying and understanding these techniques now, the cybersecurity community can better prepare for similar threats that may emerge, targeting different demographics and potentially posing a direct risk to a wider range of users in the future. This proactive approach is essential for developing effective defenses and mitigating the impact of future, related campaigns.

IOCs

‍

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CNMalwareDelivery-Pt2

This report examines the illicit online trade of aged and verified accounts for platforms like social media, email, and Google Ads. These accounts, often obtained through hacking or phishing, are valuable for bypassing security and leveraging established trust. They fuel a range of activities, from grey-area marketing tactics to serious crimes like fraud and disinformation, highlighting a significant security risk and a growing challenge in the digital landscape.

Details

In December, 2024, over 100 newly registered domains were observed hosting websites alleging to sell pre-verified and aged accounts. These additions to the burgeoning illicit online market for aged and verified accounts alleged to sell accounts across a range of platforms including social media, email providers, cloud services, and advertising networks like Google Ads. These underground marketplaces cater to a demand for pre-existing, reputable digital identities, often acquired through illicit means such as data breaches, phishing scams, or account takeovers.

Buyers are drawn to these accounts for a variety of reasons, primarily the ability to bypass security measures and leverage the established trust associated with older or verified profiles. While some may employ these accounts for seemingly innocuous purposes like gaining an edge in social media marketing or accessing region-locked content, a significant portion fuels malicious activities, including spam campaigns, fraud, disinformation dissemination, and even more nefarious operations. 

This investigation will delve into recently configured domains and websites in the ecosystem of these account markets, examining the types of accounts traded and techniques employed to drive traffic to their sites.

Cloud and BHW Accounts

Based on domain registration overlaps, the following 3 domains were likely created by the same actor. The websites advertise the sale of cloud accounts from top providers as well as ads accounts, Apple developer accounts, Google Voice accounts, and payment gateway accounts such as Amazon Pay and Cash App accounts. The site alleges the accounts are pre-verified and customers are granted full access to the accounts.

• IP ISP: Hostinger International Limited
• IP Country: US
• Website Title contains all: buy, account

topcloudacc[.]com
acctrusted[.]com
buybhwaccounts[.]xyz

Domain `topcloudacc[.]com` purports to sell AWS, Cloud, Ads, and other accounts.

Website Title: “Buy AWS Account | Best 32-vCPU & Credit Account - 2025”

Domain `acctrusted[.]com` purports to sell cloud accounts for AWS, Azure, Vultr, DigitalOcean and others for sale. 

Website Title: “Buy AWS Accounts | Best Vcpu & Credit Account For Sale 2024”

Domain `buybhwaccounts[.]xyz` purports to sell AWS, Google Cloud, Oracle, Digital Ocean, Ads Accounts, and BHW accounts.

Website Title: “Buy BHW Accounts - BHW Accounts For Sale - buybhwaccounts[.]xyz”

Domain `isp-rebellion[.]com` purports to sell Apple 2FA Accounts.

Website Title: “Apple 2FA Accounts for Sale”

Social Media Accounts for Sale

Domain `regularpva[.]com` purports to sell a variety of social media, email and dating accounts such as Facebook, Instagram, Gmail, Outlook, Twitter, and Yahoo. 

Website Title: “Buy Social Media Accounts - Social Media Pages for Sale - SecurePVA”

Domain `shiftxchange[.]biz` purports to be a marketplace for buying and selling social media accounts among other alleged service offerings.

Website Title: “Social Media Accounts for Sale”

Domains twitterxarena[.]com and redditarena[.]com both redirect to discordarena[.]com and purport to sell premium aged social media accounts including Discord and Reddit.

Website Title: “Premium Aged Discord Accounts for Sale | Discord Arena”

Domain `redditaccsbuy[.]com` purports to sell aged reddit accounts

Website Title: “Reddit Accounts with Karma for Sale | Buy Verified, Aged Reddit Accounts Instantly | Affordable Reddit Account Marketplace”

Examining One Such Network: Aged Google Ads Accounts for Sale

Over 100 identical websites were created in December, 2024 purporting to sell aged Google Ads accounts and invite codes to illicit marketplaces. For awareness, selling or buying Google Ads accounts is a violation of Google's terms of service. Aged accounts might be perceived as having more authority or being less likely to be flagged for suspicious activity, making them attractive to those trying to game the system. 

Registration Overlaps:

• Registrar: Dynadot LLC
• Name Server: cloudFlare.com
• Server Type: CloudFlare
• ISP IP: CloudFlare Inc.
• Domain Name or Website Title contains: google ads or adwords

During December 2024, 128 domains were identified with nearly identical domain registration details. All domains were configured with nearly identical website content. The websites contain links to illicit marketplaces such as credit card number verification and acquisition services, and illicit Russian markets. The websites also contain multiple links with the other 128 domains such that all 128 domains have websites directing traffic to each other. 

This configuration of interconnected website links is characteristic of search engine optimization (SEO) manipulation techniques. Specifically, in also considering the illicit content of these websites, this activity may be created solely to build backlinks to a main "money site" to manipulate search engine rankings typically referred to as a Private Blog Networks (PBN). PBNs can be a particularly effective SEO manipulation technique as search engines like Google consider backlinks as a signal of authority. The more backlinks, the higher the ranking. PBNs attempt to artificially inflate these rankings to drive traffic to their main sites. As such, search engine providers may penalize these networks and main sites by dropping their search rankings or completely removing them from search results. 

Example Google search query results for Google Ad accounts for sale:

Conclusion

In conclusion, the illicit market for aged and verified accounts across social media, email, and advertising platforms represents a persistent and evolving threat. Resold accounts are often acquired through illegitimate means and through account farming and reselling. Aged and pre-verified accounts provide a foundation for a spectrum of illicit and grey-area activities, ranging from spam campaigns, fraud, obfuscated ownership of hosting malicious resources on cloud providers, to manipulating online discourse. 

This activity underscores the critical need for enhanced security measures and robust verification processes by platform providers. Detecting and mitigating account handoff behaviors, such as suspicious login patterns or unusual activity spikes, is crucial to prevent the reselling and abuse of verified accounts. Furthermore, marketing and sales teams must exercise heightened vigilance when encountering accounts with seemingly high engagement or suspicious activity. Aged or re-verified accounts may appear more legitimate, but their origins should be carefully scrutinized. 

Proactive threat intelligence, increased awareness among users and businesses, and collaborative efforts between platforms, law enforcement, and cybersecurity researchers are essential to combat the acquisition and exploitation of these compromised accounts, which continue to undermine the integrity and trustworthiness of the digital landscape.

Appendix

‍

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/AccountsForSale

Malicious Browsers, Messengers, VPNs, and More…

Hundreds of newly registered domains are actively targeting Chinese-speaking users with malware. This report analyzes this activity, detailing the range of deceptive lures employed, including imitations of messengers, browsers, VPNs, email services, and Adobe software.

Details

Since at least June of 2024, a cluster of over four hundred domains have been registered to host spoofed websites to deliver malware to Chinese-speaking users. Spoofed application download websites have included web browsers, VPNs, chat and email applications, as well as crypto wallet and online gambling related apps. These websites share several commonalities in registration details, backend infrastructure, website configurations, and theme. The following is a sampling of those domains.

Identified malware families have included Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, RedLine and others.

Common registration details:

• IP ASN: Amazon, CloudFlare, Alibaba, CloudRadium
• Registrar: Dominet (HK) Limited, 22net, webcc, Gname
• Nameserver Domain: alidns[.]com, cloudflare[.]cp, hndnsv1[.]com
• IPs Resolved: 54.215.49[.]143 & 54.193.24[.]113
• SSL Duration: 90 day

Screenshot of malicious domain “chrmpw[.]top”, which spoofs as a GPT Chrome download application

‍

‍

Malicious domain kuailianlow[.]com, which spoofs as Kuailian Accelerator VPN (快连加速器)

Index.html

Both Download buttons contain an onclick=”down()” function call. 

The down() function call is contained in a script within the HTML. Its purpose is to construct the file download path. To accomplish this it references a dictionary variable “window” to retrieve the value from the key “filename”. 

The “filename.js” script is imported in the HTML and contains the window[‘filename’] value.

‍

“Where there's one rat, there's a nest”

Expanding the search for similar websites and domain registration patterns identifies several spoofed VPN download websites.

Commonalities include the use of a filename.js to hold the malicious filename, and coding Chinese language text as opposed to the legitimate websites displaying content based on the language settings in the client’s browser settings. The latter suggests a preference for targeting Chinese language users.

Multiple spoofed VPNs such as LetsVPN appear in online guides as popular choices for bypassing the censorship of the Great Chinese Firewall.

‍

‍

• Possibly related: Gh0stGambit, drive-by-downloads targeting Chinese users https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat 

A similar variation employs an additional imported JavaScript file to dynamically load the page content and button download actions.

Malicious domain, letscdn[.]world, which spoofs as LetsVPN 

Excerpt from Index.html - File Download Buttons with href JavaScript function calls to onDownload()

Excerpt from Index.html - Importing “/assets/js/jquery.min.js” via script tags.

Excerpt from “/assets/js/jquery.min.js” - loads script “/assets/download/filename.js” and returns the download URL as “https[:]//” + “letscdn[.]world” + “/assets/download” + “letsvpn-latest.rar”

The value for the “window.filename” is contained in another imported JavaScript file: “/assets/download/filename.js”

‍

‍

Fake Login Pages Delivering Malware

Examples of fake login pages to deliver malware were also identified. 

The following screenshot of malicious domains “xmengapp[.]top” and “xinmeng[.]xyz”, which spoof a company called Genting Trust Union, which is purportedly an enterprise management platform for businesses to engage customers, however no apparent legitimate company by the name was identified. It is suspected that this is a fabricated company and website to lure in prospective marketing and sales teams. The website purportedly offers several service and data integrator apps for marketing purposes but in fact only delivers trojans described below. 

Included in the website’s imported JavaScript files is “/assets/js/ebzcecf9.js”, which contain login credentials for the website.

Logging into the application would load the following landing page:

‍

Notably, the top bar “cloudtop” is a download button for a suspected malicious file but returns a 404.

The main section (right) is a range of services and tools related to online marketing and lead generation such as driving traffic to websites, automating tasks, managing multiple accounts, managing phone numbers for telemarketing, integrating proxies, overseas payments, AI tools for content creation and the like. 

‍

‍

The left panel contains a page link for “User Management”.

‍

Clicking the blue “Click verification” button shown in the screen capture above opens a pop up alert with the following message

"Detected that the bundled plugin is not installed. Please install and retry."

Clicking “OK”, opens a download prompt for the following .msi file. The msi file is bundled with multiple files including those that AV scanners tag as Gh0stRAT and Farfli trojans. A possible C2 was identified as “134.122.135[.]95”, which is a suspected ValleyRAT C2.

‍

‍

Associated malware, activity and methodologies appear to overlap closely with reporting by Knownsec 404 team and Fortinet of a suspected APT activity named “Silver Fox”.

Compendium of Chinese Malware Delivery Domains

The following are all examples of the spoofed websites for delivering malware utilized in this cluster of activity from at least June 2024 to January 2025. Example malware delivery domains and their respective malware download URLs and SHA256 hashes are provided as available for each example below. This listing is non-exhaustive of the variety of spoofed websites for delivering malware. 

‍

Spoofs as QuickQ, a network accelerator and encrypted traffic tool. quickqi[.]net quickiq[.]top quickqi[.]net/assets/download/quicqk66.12.msi quickiq[.]top/assets/download/win32-quicq.msi 1a793de251bffb1edc309aa0b7fd02354c7c99d3cb1f24b3e0140d2015dc49a fe1b5431ae27c85b1c652e3ac9541c2a801540c02c04fa7f4a3a9543c284eca5
Spoofs as WhiteWhale VPN (白鲸加速器) isdndjsq[.]top isdndjsq[.]top/assets/download/win32-quicq.msi fe1b5431ae27c85b1c652e3ac9541c2a801540c02c04fa7f4a3a9543c284eca5
Spoofs as Yiwaiwai Customer Service Chat Assistant download purportedly for Chrome, QQ, WeChat, Quanniu, Pinduoduo, Doudian, and others. eyy5201[.]top https[:]//eyy5201[.]top/static/download/yiwaiwai66.31.msi fe86e1fff0afefd79de4fd26f041757495c5fadd116400699411a200978f0e41
Spoof as Lets VPN download sites letsvpn-ui[.]top kingtelmfng[.]top https[:]//letsvpn-ui[.]top/assets/download/letsvpn-latest.exe e09056567f146da73aa0c4266a15cd61655e4402146b75a836d1c92926cd37c4
Screenshot of malicious domain “z42f1m[.]top”, which spoofs as a Microsoft login page for Outlook but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Screenshot of malicious domain “vejm60[.]top”, which spoofs as a Google mail login page but delivers the same malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46 a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796 Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Screenshot of malicious domain “vzvlco[.]top”, which spoofs as a QQ mail login page but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Screenshot of malicious domain “taufp6[.]top”, which spoofs as a 163 mail login page but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Spoofs as AnyDesk remote desktop application. andesksr[.]com https[:]//andesksr[.]com/assets/download/anydeskx64-32.3.0.zip
Spoofs as Yiji Pay, a financial payment application. yijfu[.]com https[:]//yijfu[.]com/assets/download/PassGuardSetuhz.exe
Spoof of iTools for Windows, a tool used for managing Apple mobile devices. i4z[.]xyz
Spoof of Huorong Internet Security website. Download links spoof as personal and enterprise security applications. huurongs[.]top huoroug[.]top
Spoofs as a game download link for QQ.  qqsgs[.]com
Spoofs as Google Chrome download site. oogiie[.]top
Spoofs as Youdao Dictionary software, a dictionary for translating text between Chinese and English and other languages. yoodaou[.]xyz https[:]//yoodaou[.]xyz/assets/download/QuarkUpdaterSetup_fuzz_1.rar 1a48a730cdd4982a5ac0b44984d70253eab9ea070285d9fc2124c83270576cf4f8c117a65e11fd370cb0673d1066af3415dfd9c8fde98225498f6e4ac92c213e
Spoofs as ToDesk remote desktop software. todeskzis[.]xyz https[:]//todeskzis[.]xyz/assets/download/ToDesk (2).zip 215872ff03e4a9d0baf12643b94d8cb60a5dba86153fa05148bd52344567e030d5b9d07f1aa0bf738521db66439d448913da86420f2c2a0753e35ba6b63a393a
Spoofs as ToDesk remote desktop software. todeskeq[.]top https[:]//0h6ai2g7.oss-ap-southeast-1.aliyuncs[.]com/ToDesk_Setup.zip (is a .rar file) 134cba7e74c243b3f58535fd224f14a637445e176a5017a8d2938f357a88e9cb3823cc7228d7d8f75f007a4eafc0e4f4f1789ce26a6e1ca15c5045e17810396d Retrieves: https[:]//ws636rj.oss-ap-southeast-1.aliyuncs[.]com/encrypted_shellcode.bin
Spoof of WuYou, a service for receiving verification codes such as SMS and online platforms.  wuyoujieee[.]com
oracl[.]top
Spoofs as Skype teleconference application download. skyes1[.]top
Spoof of Youdao, a translation App. yoadao[.]xyz
Gaming platform. 163i[.]tophttps[:]//mumu.163i[.]top/assets/download/Mumu模拟器.zip
Android Emulator to run from Windows Machine - purportedly to play simulate mobile games on desktop. lediam[.]xyz https[:]//d9gc24pw.oss-ap-southeast-1.aliyuncs[.]com/%E9%9B%B7%E7%94%B5%E6%A8%A1%E6%8B%9F%E5%99%A8.zip ffe3be504d0a89ace9271a6a1fc51f6b0539903a10b1bf89285875606852ba65
clashcn[.]xyz
“QC7 goes overseas to navigate global social traffic” “Accurate overseas customer acquisition starts with filtering number data” “Overseas account screening platform” 007z[.]top https[:]//007z[.]top/assets/download/007-Setup.exe e34fd0f5fbc5f09f55ccdf2e6a5f70215c8686f9c83c45f421ac2a475d8bfd47
Spoof of Yuanqi, a website and app providing anime wallpapers without watermarks. yqdesk[.]top
Spoof of KARIOS, which purports to be a “SMS Provider” such as sending text messages. karlosqp[.]xyz
Spoofs as an unnamed merchant backend login page. Clicking login results in a popup with a “please install” link for a malicious file spoofing as a cryptokit_sando. Clicking OK directs to /update page with a banner to download the same file. This time spoofing as a Flashplayer update link. shanghud[.]com https[:]//shanghud[.]com/assets/download/k3.2.6.0升级组件.exe 65049df06de78a4fda14d5f07d83eef1b316c0dea0ecfc3dbec7e5e1b7b20754
T Star Diamond Payment-Merchant Backstage. Spoofs as a login page. Clicking the login button downloads Gh0stRAT malware. xingzuan[.]xyz https[:]//xingzuan[.]xyz/assets/download/xingzuansetupg5.exe 5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a Downloads additional files from: https[:]//wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud[.]com
Spoofs as Dex Screener, a cryptocurrency website. Clicking any buttons initiates a popup with download link spoofing as a Flashplayer update. It contains samples of Gh0stRAT and Blackmoon malware. dexscreeners[.]icu https[:]//aaa8999.oss-us-west-1.aliyuncs[.]com/Flash_x32.zip 86f8239224a0ace2b1e0a2216511b0a0aea1bf055f7cbeca2fcf9c316f3de921
Spoofs as popular Line messenger application. iines[.]xyz
Spoofs of DeepL Pro, a machine translation company. The service purports to emphasize data security with end-to-end encryption and automatic deletion of translated text.  deepil[.]top
Spoofs of DeepL Pro, a machine translation company. The service purports to emphasize data security with end-to-end encryption and automatic deletion of translated text. deeplx[.]top
Spoofs as 2345 Image King, software for viewing images.   2345ktws[.]xyz
Spoofs as Quark, AI. An AI-powered assistant application. quarki[.]top
Spoofs as a cryptocurrency exchange. chachap[.]top https[:]//0l1hsqvd.oss-ap-southeast-1.aliyuncs[.]com/uCheckerInst.zip
Spoofs as 360 browser, a web browser developed by the Chinese internet security company, Qihoo 360. 360browsap[.]top
Spoofs as a mobile and web game site. ttcy365[.]com
Spoofs as Sunflower Remote Control Software, which purports to allow remote access to other computers, file transfer, and remote assistance. orays[.]top
A banner displayed warning of malicious activity spoofing their brand but is in fact also a spoof. baofuupay[.]com https[:]//baofuupay[.]com/assets/download/setup.exe 2901ca8eefd1d431d25f3d45dbf42dc48136b74692801ca0f6b606541d645baf
Spoofs as Enigma Messenger App, an end-to-end encrypted chat app. immersivetranslate[.]top
Spoofs as a cryptocurrency exchange app. tradingview[.]trade
Spoofs Signal messaging application, an end-to-end encrypted chat app.  signall[.]xyz
Spoofs Signal messaging application, an end-to-end encrypted chat app. signel[.]top
Spoofs as AdsPower app, an anti-detect browser for managing multiple online accounts. adspowerr[.]top
Spoofs as 360 Security Guard - Software Manager to download iTools app. iTools is used for managing Apple mobile devices. i4app[.]top
Spoofs as FireFox browser download. firefoxz[.]top
Spoofs of LianLian Pay application. lianlianpoy[.]com
Spoofs as a financial payments management website. shengfuton[.]com
Spoofs as a music streaming app. wymusic[.]top
Spoofs as Snipaste, a screenshot and screen recording tool. snipaste[.]top
Spoofs as Aurora PDF, a service for creating, editing and viewing PDF files.  jiguang[.]icu
Spoofs as Steam, a popular digital distribution platform for video games. steams[.]top
Spoofs as 163 VPN built by NetEase, a Chinese tech company. 163 VPN is primarily designed for users within China to access websites blocked by the Great Firewall of China.  163e[.]top
Spoofs of Gmail Login Page.  qmails[.]top
Spoof of Telegram messenger application. telegrinxkam[.]top https[:]//telegrinxkam[.]top/assets/download/Ttsetuphdmgj.exe d219a6056e1f65507c984475711bd7e674b1319d11fd7a1149f3da983fd4f7c8
Spoof of Telegram messenger application. telegrcm[.]ing teiegram[.]ing
Spoofs as SaleSmartly, a customer communication platform. salesmart[.]top https[:]//wien.oss-ap-southeast-1.aliyuncs[.]com/win7-salesmartly.zip
Spoofs of Google Play store to download a malicious application. goople[.]top
Spoofs of Telegram messaging application. telegrpcm[.]xyz

‍

Conclusion

The spoofed malware delivery websites sampled in this report all share commonalities in configuration, domain registration patterns, and a suspected intent to target Chinese-speaking users. Indications suggest a broader target audience of Chinese language speakers outside of China including Malaysia and Hong Kong. 

The majority of the malware identified being delivered by the spoofed websites were stealers and trojans with capabilities to steal credentials and provide remote access to compromised systems. All malware identified were intended for Windows operating systems. Among them were multiple samples AV vendors assessed to be Gh0stRAT, Lummanstealer, RedLine, Farfli and ValleyRAT. Of which, C2s were also identified as associated with ValleyRAT. 

The activity and infrastructure of this cluster suggests a strong overlap with previously reported APT group SilverFox. Similarities include the spoofed websites, a focus on targeting Chinese-language speakers, and the use of ValleyRAT. Additionally, the overall volume, variety, and duration of the activity involved aligns with previous reports of SilverFox and suggests an organized and professional enterprise such as a commercial hack-for-hire or nation state sponsored contract. 

While spoofing websites to deliver malware is nothing new, the sustained volume and consistency speaks to a larger systematic approach to target a specific demographic with an apparent intent on gaining access to Windows devices likely to initially steal credentials and provide continued access for follow-on engagements. In the past, speculation around similar campaigns involved acting as access brokers to sell to government organizations or other criminal groups. Another possibility may be the collateral targeting of a population to opportunistically compromise high-value targets. In other words, indiscriminate compromises until they strike gold on gaining access to, for example, a corporation’s system or credentials.

IOCs

‍

Suspected Malware Delivery Domains:

‍

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CNMalwareDelivery-Pt1

Hello CTI Grapevine Superfriends!

You may have noticed some subtle changes to our website: As of today, CTI Grapevine became part of the newly-launched DomainTools Investigations (DTI) family. Since this shift may come as a surprise to some of our avid readers, I wanted to share why we believe it is a great move for our community:

CTI Grapevine was started as an initiative by us, for us: The researchers, analysts, defenders, and the quiet types you never hear about publicly, but who behind the scenes help make the Internet a safer place. You know who you are. We wanted to explore what it would be like for the community if we published relevant and timely Domain- and DNS-related security snacks - “bite size research,” if you will. We had some really great success with this in 2024. You, the community, gave us both positive and constructive feedback on areas of growth, what you wanted us to improve on, and how we could be a better resource to the community at large. As we brainstormed on how to grow the program, we kept coming back to a DomainTools core principle: Community First! 

On a personal note, this core principle is one of the top reasons I stayed with DomainTools after my previous employer Farsight Security was acquired - The InfoSec Community has been a key part of my career for over 20 years, I would not be where I am today without it. In 2002, I started attending The Agora in Seattle, one of the first quarterly closed-vetted InfoSec meetups. After a few years as an attendee, I got involved and helped to organize and host the events for another decade+. Around 2007, I started attending other great community-focussed conferences like ISOI, and later ACoD, DCC, UE - IYKYK. I mention all this to underline how serious I am in my commitment to The Community, and as the Head of DomainTools Investigations, I will make sure we do not stray from that path.

In the spirit of supporting the community, we knew we needed to be extremely thoughtful in providing more resources. We pitched a program that could attract and sustain kickass researchers and analysts who could focus on providing their expertise on an ongoing basis. Our bosses listened, and decided to give us a year to prove ourselves. And so, DTI was formed as a community-based research effort focused on investigating, mitigating, and preventing Domain- and DNS-based attacks. (And yes, we love puns and DTI is a play on CTI…see what we did there?) With the launch of DTI, building on the foundation of CTI Grapevine, the cybersecurity community will have expanded access to:

• Insights on advanced persistent threats (APTs), nation-states, cyber-espionage groups, business email compromise (BEC), and more
• Published research on the DTI website and available via webinars, closed door sessions, and conferences
• A yearly report that dives into the nuances of Domain- and DNS-based attacks

You can get all of this goodness right here on the site, and never miss an update by setting up an RSS feed to dti.domaintools.com. Additionally, you can find us on the socials (Mastodon: @domaintools@infosec.exchange, Bluesky @domaintools, X @domaintools, LinkedIn https://www.linkedin.com/company/domaintools/ ), or come say “Hi” at various conferences and events we will be frequenting all year long!

Here is to an exciting year ahead, and to borrow a signature word from one of my friends and mentors: Excelsior!

Daniel Schwalbe
CISO and Head of Investigations
DomainTools

PS: Let’s talk about tracking for a minute. More specifically website page views, and email open tracking, or what the kids call “engagement” these days. When we first launched CTI Grapevine, we intentionally had zero tracking on the site. This is somewhat rare in the industry, but as a security and privacy professional, I am allergic to tracking. I block it wherever and however I can. Being in control of DNS resolutions on your own Network is very useful for that purpose. 

But if as a business you must track, at least be as transparent as possible about it. So this is the approach we are taking here. The bargain we made with our bosses in order to take DTI to the next level was to sign up for some KPIs, and we need some kind of measurement to see if we hit those KPIs. We use Google Analytics with tags, and Marketo Measure (Bizible / Adobe). We won’t gate content, and we won’t use more invasive tracking.

Sure, tracking on websites can be blocked by the browser, and almost every email client now has the ability to block open tracking. We accept it, and are OK with that. But if you feel so inclined and want to support our program, maybe consider letting some of that tracking through. 

Overview

On 27 December 2024, the technology company Cyberhaven reported that an unnamed actor replaced its Google Chrome extension on the Google Chrome Web Store with a malicious version. The actor used a phishing email to compromise a developer’s account via authorizing a malicious third-party application. DomainTools researchers reviewed publicly available information related to this incident and discovered that the Cyberhaven incident is part of a months-long campaign likely attempting to impact multiple companies primarily in the technology sector.

Summary of the Cyberhaven Incident

Cyberhaven’s initial analysis of the incident revealed that the actor sent a phishing email claiming that the recipient’s Chrome extension was at risk of being removed from the Chrome Web Store due to policy violations. A link in the email purported to allow the recipient to acknowledge those policies and avoid removal of the extension. Clicking on the link led the recipient through the process of adding a malicious third-party application named “Privacy Policy Extension” to the recipient’s Google account - a tactic commonly known as OAuth phishing. The malicious application received permissions to publish Chrome Web Store extensions, allowing the actor to replace Cyberhaven’s extension with a new version containing malicious code.    

The malicious code comprised two altered JavaScript files:

• worker.js: This script contacted the actor-controlled domain, cyberhavenext[.]pro, which served as command and control (C2) for the incident.  The server hosted configuration data, which it stored in Chrome’s local storage and monitored events from the second script, content.js.
• content.js: This script collected user data from specific websites. The file used in the Cyberhaven incident specifically targeted Facebook-related data such as access tokens, user IDs, account details, business accounts, ad account information, cookies, and user agent strings. The script exfiltrated all compromised data to actor-controlled infrastructure.

Connections to a Broader Campaign

Cyberhaven shared indicators of compromise (IOCs) related to the attack. DomainTools researchers analyzed this information and discovered a large network of infrastructure likely used in similar attacks against other targets. Some of the related domains include:

• cyberhavenext[.]pro
• api.cyberhaven[.]pro
• app.checkpolicy[.]site

The reported C2 domain for the incident, cyberhavenext[.]pro, resolved to the IP address 149.28.124[.]84 which is allocated to the hosting provider Vultr. Passive DNS data in the Iris Investigate platform shows 18 domains resolving to this IP address since 5 November 2024 with the majority beginning to resolve in the last week of December 2024. It is likely that these domains are part of a broader campaign that includes the Cyberhaven incident. This assessment is made with high confidence based on the following factors:

• IP address overlap - likely related domains resolve to the same IP addresses within close time proximity  
• Whois similarities - Domains share similarities in whois information: Namecheap registry, registrar-servers[.]com for NS and MX, and use of Let’s Encrypt certificates
• Domain naming conventions - Domain names spoof specific software products such as AI tools, VPNs, adblockers, and other general web browsing tools.
• Top Level Domains (TLDs) - Heavy use of .pro TLD along with .live, .info, .com, .net, .ink, and .vip 

Research revealed additional related domains on other Vultr IP addresses:

• 149.248.2[.]160
• 136.244.115[.]219
• 45.76.225[.]148

Data from the urlscan platform shows that some of the related domains hosted configurations similar to that reported by Cyberhaven. For example, urlscan data for the domain internxtvpn[.]pro shows a similarly formatted configuration for targeting data from the ChatGPT platform

‍

‍

Configuration Recorded by URLscan on 29 December 2024

Urls can data also shows some of the identified infrastructure hosting credential phishing pages as far back as February 2024. Figure 2 shows a credential phishing page for an unidentified service hosted on admin-set.tkpartner[.]pro (left) and a phishing page likely meant to spoof Facebook’s Business Manager service hosted on tkadmin7.tkv2[.]pro (right). There is not enough evidence to determine how potential victims were directed to these pages or how the actor responsible leveraged compromised credentials. 

‍

Figure 2. Credential phishing pages hosted on infrastructure likely related to that used in the Cyberhaven incident.

Conclusion

It is likely that the Cyberhaven incident was part of a months-long campaign seeking access to sensitive data related to popular web services such as Facebook and ChatGPT. This assessment is made with high confidence based on identified infrastructure, the usage time frame of the infrastructure, and code within the actor’s configuration files. Observed tactics, techniques, and procedures (TTPs) indicate this actor is more likely criminal than state-sponsored.

IOCs

‍

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CyberhavenCampaign

Overview

Domain hijacking attacks like subdomain takeover and SPF hijacking take advantage of vulnerable or stale configurations in a target domain. The vulnerable domains are then leveraged in spam or phishing campaigns or to spread malware. They can be particularly successful as they can take advantage of the target domain’s established reputation to subvert spam filters and other reputation-based detections.

Subdomain Takeover

In the case of subdomain takeover, attackers look for subdomains that are configured to point to a service that does not appropriately handle subdomain ownership verifications. 

Attackers can identify subdomains pointing to other services by using a range of openly available tools such as Sublist3r, Assetfinder, and ReconNG. Attackers would then check for vulnerable services such as those that allow custom domain names like GitHub pages, AWS S3 or by looking for domains that continue to point to services that no longer exist. 

Exploiting these vulnerable domains allows the attacker to host malicious content such as phishing pages or malware from the domain. This type of attack may allow for “subdomailing”, which refers to the type of email spoofing attack that leverages subdomains of a legitimate domain to send fraudulent emails.

Example DNS log of a potentially vulnerable subdomain:

mail.vulnerable-domain[.]com.  IN  CNAME  
pages.githubusercontent[.]com.

This shows that mail.vulnerable-domain[.]com points to GitHub pages. If for example the associated GitHub pages repository were deleted and the DNS record is unchanged, an attacker could re-create the deleted repository under the same name. In effect, allowing the attacker to control the content of the target domain.

SPF Hijacking

In contrast to subdomain takeover, SPF Hijacking occurs when an attacker gains access to a target’s DNS records either via the registrar or by exploiting vulnerabilities in the DNS infrastructure. Once the attacker has access they can modify the SPF record of a domain. For example, the attacker could add in one of their own domains into the target domain’s SPF record. In effect, this would allow the attacker to send emails that would appear to be originating from the target’s domain.

Example DNS log of a vulnerable SPF record:
vulnerable-domain[.]com. IN TXT "v=spf1 mx -all"

Example attacker tool to modify a DNS record of a target domain:
pdnsutil modify record vulnerable-domain[.]com TXT 'v=spf1 mx attacker-domain[.]com -all'

Example DNS log of the compromised SPF record for domain insertion:
vulnerable-domain[.]com. IN TXT "v=spf1 mx attacker-domain[.]com -all"

In the examples above, pdnsutil, a powerful DNS management tool, is used to modify the “TXT” record of a vulnerable domain to include the attacker’s domain in a new SPF record "v=spf1 mx attacker-domain[.]com -all"

Hunting

Pivoting off a report by Guardio in February 2024, which detailed a large campaign of subdomailing activity involving two attacker domains inserted into vulnerable DNS records.

‍

‍

Equipped with knowledge about domain takeover attacks, we can hunt for characteristics of subdomain takeover and SPF hijacking.

To start, we may take similar approaches to an attacker in which passive reconnaissance tools or historical DNS and web scanner data aggregators are leveraged to passively identify potentially vulnerable domain configurations.

Reviewing recent DNS records for actor domain greaterversatile[.]com in RDATA:

‍

‍

Breaking down the RDATA: "v=spf1 include:harrisburgjetcenter[.]com include:greaterversatile[.]com -all"

1. v=spf1: indicates it's an SPF record version 1, the most commonly used version.
2. include:harrisburgjetcenter[.]com: instructs the receiving mail server to consult the SPF record hosted on the domain harrisburgjetcenter[.]com. The receiving server will then use that record to determine if an email claiming to originate from the original domain is legitimate.
3. include:greaterversatile[.]com: the receiving server will also consult the SPF record hosted on greaterversatile[.]com
4. -all: specifies a "hard fail" for any email that doesn't pass the SPF check based on the included records. In other words, any email not authorized by the records from harrisburgjetcenter[.]com or greaterversatile[.]com will be rejected.

Reviewing recent DNS records for actor domain greaterversatile[.]com in RRNAME:

‍

‍

The above DNS records shows that the actor domain greaterversatile[.]com had SPF records in February 2024 that point to several domains and hundreds of IP addresses and in October 2024 was updated to point to two dynamic DNS domains.

Due to the grouping of SPF record placing, the following domains are likely also actor owned during their respective times of association.

‍

‍

In summary of the above records if the domain tracks.vooyo[.]id sends email, the receiving mail server would attempt to validate the SPF records from the actor domains harrisburgjetcenter[.]com and greaterversatile[.]com, which would then be routed again to instanttranslates.dynu[.]net and informationshout.dynu[.]net.

The following DNS records for instanttranslates.dynu[.]net. indicate additional SPF routing would take place.

‍

‍

Due to their use in the SPF records of other actor domains, these additional dynamic DNS domains also acting as SPF redirectors are likely actor operated domains as well:

‍

‍

Subsequently looking up the SPF redirects for universitygreatchoices.gleeze[.]com and others identifies records such as the following in which the designated IP ranges are authorized to send mail by the original domain.

‍

‍

The following diagram shows how the chained SPF records create multiple layers of redirects.

In summary, the chained SPF records create multiple layers of SPF redirects. This may serve to obfuscate the originating mail servers and distribute infrastructure to increase resiliency from disruptions affecting portions of the network. It may also serve to evade detection by hindering analysis by making it difficult for anti-spam and security researchers to identify patterns and write signatures to detect and block the network and the activity it is being used for.

The Senders

Sampling the IP addresses in the RDATA records show a trend of mail servers, reverse DNS, Apache HTTP servers, and Squid Cache servers.

The IPs associated domains to the SPF records were also observed hosting content such as the following samples:

‍

Indicators & Search Hashes	Web Screenshots
*[.]megajobsusa[.]com Shodan hash:-1137946516 ShodanHttp.html_hash:581214383 Censysservices.banner_hashes="sha256:3a47dc2a58324647af74c539d6e9eceb994f5ec3b49ff1744d164e6f340a9e29"
angelcamach0-github-io.pages[.]dev
callor[.]com
gamerchallenger[.]com
sunillulla[.]com

‍

‍

Domains hosting similar web content:

‍

‍

Conclusion

This research has only touched the surface of what appears to be a very large and well coordinated spam and phishing network taking advantage of DNS-related misconfigurations or weaknesses. Indications from domain and infrastructure pivots suggest the network has been operating since at least 2019 to present. The operators of the network appear to demonstrate awareness and response to security reports of their infrastructure and appear to have made multiple attempts to improve its resiliency to identification and disruptions.

Observables

‍

‍

On 18 November 2024, BlackBerry’s threat research team reported on a cyber espionage campaign targeting the Pakistan Navy. This campaign used malicious documents to collect credentials and distribute malware. While BlackBerry did not attribute this activity to a specific actor, subsequent analysis by DomainTools revealed significant overlaps in tactics, techniques, procedures (TTPs), and targeting scope with the cyber-espionage group known as SloppyLemming.

Review of BlackBerry Report

Recent activity from this campaign involved the deployment of a malicious PDF document in early September 2024. The document resembles an internal IT memo, instructing recipients on integrating Axigen Thunderbird for secure email communications. The document contained a link to a malicious website (paknavy.rf[.]gd) mimicking the legitimate Pakistan Navy domain.

Upon visiting the fraudulent site, users were prompted to download a ZIP file, “Axigen_Thunderbird.zip,” which included a malicious Thunderbird extension. Once installed, the extension requested credentials for “@paknavy.gov.pk” email addresses. Entered credentials were transmitted to an actor-controlled domain (updateschedulers[.]com), and the extension downloaded a malware payload hosted on the same domain. BlackBerry researchers identified the malware as a variant of Sync-Scheduler. Public reporting from March 2024 first identified this malware family and its use of  the domain packageupdates[.]net for command and control (C2). BlackBerry also identified related activity in the May/June 2024 time frame using the C2 domain extension.webmailmigration[.]com.

Further analysis by DomainTools uncovered an additional likely associated domain: diplomaticservices[.]link. Whois data from this domain shows a registrant organization of “National Telecom Corporation” likely referencing the Pakistani government’s telecommunications provider. The only other domain using this registrant organization since 2010 is the webmailmigration[.]com domain from the BlackBerry report. 

Overlap with SloppyLemming Actor 

In September 2024, Cloudflare’s threat research team reported on an India-nexus cyber espionage actor it dubbed SloppyLemming (aka OUTRIDER TIGER). This actor primarily targets Pakistan, with a focus on government and defense. SloppyLemming frequently leverages its custom CloudPhish credential logging tool on Cloudflare Worker domains to compromise email credentials from targeted individuals. One of the mail clients CloudPhish specifically targeted was Axigen, which was the mail client referenced in the malicious activity covered in the BlackBerry report. SloppyLemming also employed PDF documents for credential collection and malware delivery.

Data from the urlscan.io scanning service shows an Axigen webmail credential phishing page present on www.login.webmailmigration[.]com in April 2024. Similar Axigen phishing pages present on the following domains between February and July 2024:

• mail-pakchinainvest-com.niancao010.workers[.]dev
• webmail.cybar-net-pk.workers[.]dev
• mail.pof-gov-pk.workers[.]dev

These domains use a similar domain naming convention to that detailed in the SloppyLemming report.

‍

Figure 1. Screenshot of credential phishing pages present on www.login.webmailmigration[.]com in April 2024 (left) and mail.pof-gov-pk.workers[.]dev in August 2024 (right)

Additional similarities between the recent BlackBerry and Cloudflare’s reports include the actor’s use of malicious PDFs malware delivery and a Pakistan-centric target scope. 

Conclusion

It is likely that SloppyLemming is the actor responsible for the malicious activity described in BlackBerry’s recent report. This assessment is made with low confidence based on similar credential phishing and malware delivery TTPs, as well a Pakistan-focused target scope. However, it is plausible that the BlackBerry report discusses a separate actor from SloppyLemming that is employing similar TTPs.

IOCs

paknavy[.]rf[.]gd
updateschedulers[.]com
packageupdates[.]net
finance-gov-pk[.]rf[.]gd
extension[.]webmailmigration[.]com
diplomaticservices[.]link

Fake government job boards attempt to trick job seekers into providing personal information that may be used for fraud, phishing, or other malicious purposes. The bad actors behind these fake job boards cause harm by either soliciting an application fee from victims or by instructing them to download malicious files or deceiving victims into giving personal information such as resumes, historic addresses and contact information.

Multiple countries were identified as targeted by a high number of fake government job boards. For instance, many of the identified domains masquerading as US government job boards were reportedly associated with email campaigns. Those in Pakistan and India appear largely fraud related and employ WhatsApp and Telegram groups. Fake Taiwanese government job postings are suspected to be harvesting personal information for phishing and fraud.

Similarly, nation states such as North Korea also host fake job postings for phishing, and creating fake personas in attempts to be hired by and gain access to western tech companies.

Details

Fake US Government Job Websites

A cluster of domains that goes back to early as 2017 and associated mail servers have been used in email spam. The domain names masquerade as government job or contract bid sites. The domains are frequently configured to redirect to legitimate government job sites such as govcb[.]com and governmentcontracts[.]us likely for the purpose of appearing more legitimate upon inspection.

Example mail server:

• https://www.abuseipdb.com/check/44.215.207.48
• https://check.spamhaus.org/results/?query=govcb-bids-bulletin.us

‍

‍

Fake Taiwanese Government Job Websites

Spoofing as the legitimate taiwanjobs[.]gov[.]tw website for the purposes of phishing, information gathering, and credential harvesting. Taiwanjobs[.]gov[.]tw website reports the following message of ongoing phishing activity using fake look alike websites.

‍

‍

‍

Fake MELA Government Job Websites

Mela Network is the Middle Eastern arm of a global network spanning 46 countries. Their website states: “Mela's mission is to help executives in the MENA (Middle East and North Africa) region grow professionally and personally by exposing them to best practices in leadership and connecting them with a global network of peers.” [https://melanetwork.org/]

‍

‍

‍

Fake Indian Government Job Websites

‍

‍

‍

Fake Pakistan Government Job Websites

Fake Pakistan government job boards similar to those for Indian government job boards. WhatsApp channels and Telegram group links are displayed on pages. Many of these sites are suspected to be used for phishing and fraud. 

‍

‍

‍

Conclusion

Fake job boards are common around the world. They seek to take advantage of job seeker’s motivations in order to harvest personal information and may lead into additional fraud schemes, phishing, identity theft, and malware delivery.

Job seekers should conduct research on job postings before applying, recognize domain name masquerades and be wary of unsolicited job offers. Additionally, it's crucial to recognize red flags such as unexpected fees, high-pressure tactics, requests for sensitive personal information, and unknown personas offering special favors.

‍

IOCs

Ever think about the duality of fishing and hunting? Folks may argue fishing is a more passive endeavor. One sets a lure and waits. Hunting on the other hand, folks may argue, is a more active endeavor in which a hunter might generally be expected to seek out their intended target. 

Let’s put this in terms of cyber threats. Most humans by now have undoubtedly heard of cyber attacks and perhaps even had some experiences with phishing in its various forms be it over email, text, voice call or a discord channel. But, what about the threat hunters? Threat hunting proactively seeks out undetected threats, usually within an organization’s network. Investigating indicators in a threat report can identify suspicious domains, detect patterns, and correlate findings with other sources. 

With that said, thousands upon thousands of ill-intent domains are registered every day and some few fine folks set out the hounds and have a proper hunt. As one does, the trails are scoured and more indicators are found. But without further ado, this is one such quarry.

Opening Meet

This hunt got its start from a CloudFlare report on SloppyLemming. Also known as Outrider Tiger, SloppyLemming has reportedly been targeting Pakistani entities among others in Southeast Asia since late 2022. A range of domains have been utilized to lure victims into credential harvesting sites and deliver malware.

Frequent Domain Registration Patterns

• Use of CloudFlare services
• 90 day SSL Certificates
• Trends in domain naming convention 
• Frequently assessed with risk scores of 100 by DomainTools

There’s the scent and the hunt begins. Sifting through domain registrations, DNS records, web scan data and the like, the lines form.

Hunting For Associated Indicators:

SloppyLemming domain `aljazeerak[.]online`

Website Title `Pakistan International Airlines - PIA | Great People to Fly With`
-> Unreported domain `fly-pakistan[.]com`

Historic Screenshot of domain aljazeerak[.]online masquerading as a Pakistani Airline

SloppyLemming domain `itsupport-gov[.]com`

whois email `abdulrehm8282[@]gmail[.]com`

-> Unreported domain `itsupport-gov[.]net`

- SSL temok[.]com + MX eye-mail[.]net + Registrar NameSilo 

- Has Google Code `G-5XJE64N2SQ`

SloppyLemming domains `cflayerprotection[.]com, cloudlflares[.]com`

Whois Email `cht8p9zpl5[@]domprivacy[.]de`

-> Unreported domains

mfaturk[.]com

firebasebackups[.]com

cloudproxyserv[.]com

Historic Screenshot of domain paknavy-pk[.]org

Hunting CloudFlare Worker With SubDomain Name Masquaredes in DNS Records

Next, we search for CloudFlare Workers[.]dev subdomains with navy or gov and pk or lk naming elements using DNSDB Scout

;; query: Regex RRNames (navy|gov)-(pk|lk).+workers\.dev\.$ ANY (Limit 5000) // Last After: 2024-09-26 00:00:00 (UTC)

Sample:

```

anfbalochistan-gov-pk.workers[.]dev
clickonce.pakistan-gov-pk.workers[.]dev
cpanel-nha-gov-pk.pakistan-gov-pk.workers[.]dev
discordoutput.pakistan-gov-pk.workers[.]dev
email-moitt-gov-pk.pakistan-gov-pk.workers[.]dev
fbr-gov-pk-auth.workers[.]dev
gda-gov-pk.kr-i-sas-orv-e-l-a.workers[.]dev
gov-pk.workers[.]dev
gov-pkgov.workers[.]dev
gwadarport-gov-pk.gwadarportt.workers[.]dev
helpdesk-police-gov-pk.aabhimulla446.workers[.]dev
instagram-com.pakistan-gov-pk.workers[.]dev
ispr-gov-pk.workers[.]dev
kpt-gov-pk.workers[.]dev
maif-piac-aero.gov-pkgov.workers[.]dev
mail-asian-parliament-org.pakistan-gov-pk.workers[.]dev
mail-communication-gov-pk.pakistan-gov-pk.workers[.]dev
mail-depo-gov-pk.govtpak.workers[.]dev
mail-depo-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-dgdp-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-ecac-gov-pk.pakistan-gov-pk.workers[.]dev
mail-ecp-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-ecp-gov-pk.pakistan-gov-pk.workers[.]dev
mail-fbr.gov-pk.workers[.]dev
mail-gwadarport-gov-pk.kr-i-sas-orv-e-l-a.workers[.]dev
mail-gwadarport-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-hit-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-invest-gov-pk.gwadarportt.workers[.]dev
mail-islamabadpolice-gov-pk.ntc-telecommunication-safecity.workers[.]dev
mail-kpt-gov-pk.gob-pk.workers[.]dev
mail-kpt-gov-pk.niancao010.workers[.]dev
mail-kpt-gov-pk.pak-gov-pk.workers[.]dev
mail-mod-gov-pk.pakistan-gov-pk.workers[.]dev
mail-modp.gov-pkgov.workers[.]dev
mail-modp-gov-pk.govtpak.workers[.]dev
mail-modp-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-modp-gov-pk.pak-gov-pk.workers[.]dev
mail-mofa-gov-pk.pakistan-gov-pk.workers[.]dev
mail-na-gov-pk.na-gov-pk.workers[.]dev
mail-nba-gov-pk.pakistan-gov-pk.workers[.]dev
mail-ntc-net-pk.gov-pkgov.workers[.]dev
mail-paf-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-paknavy.gov-pk.workers[.]dev
mail-pc-gov-pk-login.ethanhunthero125.workers[.]dev
mail-pof-gov-pk.govtpak.workers[.]dev
mail-ppra-org-pk.pakistan-gov-pk.workers[.]dev
mail-punjab-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-punjab-gov-pk.ntc-telecommunication-safecity.workers[.]dev
mail-punjab-gov-pk.punjab-info-tech-board.workers[.]dev
mail-sco-gov-pk.mil-bd.workers[.]dev
mail-sco-gov-pk.ntc-telecomcorporation.workers[.]dev
meharusman524gov-pk.workers[.]dev
meharusman524gov-pk4230.workers[.]dev
na-gov-pk.workers[.]dev
na-gov-pk-bfd.workers[.]dev
navy-lk.workers[.]dev
nha-gov-pk.pakistan-gov-pk.workers[.]dev
old-violet-aae5.meharusman524gov-pk4230.workers[.]dev
pak-gov-pk.workers[.]dev
pakistan-gov-pk.workers[.]dev
paknavy-gov-pk.workers[.]dev
pitb.gov-pkgov.workers[.]dev
pitb-gov-pk.workers[.]dev
pmo-gov-pk-auth.workers[.]dev
pof-gov-pk.workers[.]dev
pythonscanner.gov-pkgov.workers[.]dev
reports-ecp-gov-pk.mlc-landdistribution.workers[.]dev
throbbing-sun-f4e8.meharusman524gov-pk4230.workers[.]dev
wapda-gov-pk.workers[.]dev
webmail.wapda-gov-pk.workers[.]dev
webmail-gda-gov-pk.gwadarportt.workers[.]dev
webmail-wapda-gov-pk.pakistan-gov-pk.workers[.]dev
worker-cool-credit-6d6f.navy-lk.workers[.]dev
worker-dark-paper-2231.gov-pkgov.workers[.]dev
worker-patient-wave-96d1.pakistan-gov-pk.workers[.]dev
worker-plain-wind-01a9.pakistan-gov-pk.workers[.]dev
worker-silent-pond-c90d.pakistan-gov-pk.workers[.]dev

```

• Site content of domain `pythonscanner.gov-pkgov.workers[.]dev`

Hunting for Domain Masquerades in Whois and Web Scans

Hunting for Pakistani domain masquerades using cloudflare. The nature of these broader hunts are apt to uncover unintended prey. In this case, the stumbling on a mix of Pakistani travel and government job boards, and Crypto exchange masquerades.

```

govtjobspak[.]live
pakkjob[.]com
pakgovtsjobs[.]com
gov-declare[.]help
karakfinance[.]cfd
fi-ton[.]org

```

```

search:query=CoinTelegraphLegal.pdf&crumb=location:\\45.82.13[.]15@80\Downloads\&displayname=Downloads

```

Conclusion

Hunting for undetected threats can take on many forms. Prompted by threat reports and intelligence, threat hunters may cast a wider net to seek out undetected indicators, detect patterns, and correlate findings with other sources of information. That said, wider nets can catch more than the intended quarry. In this case, finding an ecosystem of websites impersonating as Pakistani airlines, government job boards, as well as remnants of malicious domains and scanners on Pakistani government domains. While it may not all be SloppyLemming activity, it highlights an apparent wider spread targeting of Pakistan.

References

https://www.cloudflare.com/threat-intelligence/research/report/unraveling-sloppylemmings-operations-across-south-asia/

Since 1 August 2024, a likely India-nexus targeted intrusion actor has targeted entities in China and South Asia using credential phishing pages mimicking legitimate webmail login portals. Domain naming conventions as well as observed phishing pages reveal likely targeting of entities in the government and defense sectors. Observed tactics, techniques, and procedures and target scope are consistent with public reporting on Indian targeted intrusion actors.  

Details

Identified domains share the following similarities:

• Registration via 1api registrar service
• Use of Royalhost nameservers
• Resolving to the IP address 65.21.85[.]206
• Domain naming convention using webmail login or file download themes often combined with references to specific, likely targeted entities

The 65.21.85[.]206 IP address is a shared host resolving numerous domains likely unrelated to the India-nexus targeted intrusion activity. However, historical data from this host indicates the India-nexus actor has used 65.21.85[.]206 since at least April 2024 to host phishing domains.  

Figure 1. Example Credential Phishing Page from nepal-mofa[.]com

Analysis of this activity also shows one of the actor-registered domains (never-giveup.mail-downloadfiles[.]com) redirecting to a credential phishing page hosted on the cloud service Netlify (large-files-d0wnl0ad-session-expired.netlify[.]app). These domains are likely being used to target Chinese entities.

Figure 2. Chinese-language Credential Phishing Page Hosted on Netlify

IOCs

Conclusion

This activity is consistent with targeted intrusion activity identified in previous public reporting. Naming conventions are generally consistent with activity from the group known as Sidewinder with domains spoofing webmail login portals and the targeting of entities in China and South Asia. The India-nexus targeted intrusion group known as Patchwork also historically exhibited a similar target scope. 

In a recent article from KrebsonSecurity, they detail that at least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain.

Read the research: https://krebsonsecurity.com/2024/07/researchers-weak-security-defaults-enabled-squarespace-domains-hijacks/

In this 15th edition, M-Trends provides an inside look at the evolving cyber threat landscape, with data drawn directly from frontline incident response investigations and threat intelligence findings of high-impact attacks and remediations around the globe.

• The latest incident response metrics including dwell times, detection sources, initial infection vectors, and so much more
• China-nexus attackers increasingly targeting edge devices and platforms that lack EDR
• Trending adversary operations and motivations behind zero day attacks
• The evolution of phishing techniques amidst modern security controls
• How attackers are leveraging AiTM to compromise multi-factor authentication safeguards
• The reasons and solutions behind growing cloud and hybrid cloud environment intrusions
• How AI is effectively used in red and purple team operations to help boost cyber defenses

Read Anton Chavakin's take on the report: https://medium.com/anton-on-security/reading-the-mandiant-m-trends-2024-acb3208add80