Skip to main content
Back to Research
C2
Malware

Chinese Malware Delivery Domains Part II: Data Collection

Published on: 
February 10, 2025
On This Page
Share:

This report dives deeper into activity relating to the previously reported cluster of Chinese Malware Delivery domains. Spoofed download websites of many common applications were observed collecting user information and delivering malware to Chinese speaking users.

Details

This report examines a second cluster of over 1100 domains suspected to have been registered by the same group between April 2024 to January 2025.

Cluster 1: The previously reported Chinese Malware Delivery domains appeared dedicated to malware delivery with minimal dynamic content or obfuscation employed. Primarily delivers Windows backdoors and info stealers. Minimal variability in HTML and JavaScript code.

Cluster 2: Suspected to be broadly focused on user data collection and selective malware delivery. Websites employ highly variable and obfuscated JavaScript files and multiple web analytic services. Purport to host binaries for Windows, macOS, iOS, and Android operating systems.

Spoofed Websites

Very similar to Cluster 1, Cluster 2 involves spoofs of many common applications from messenger apps, VPNs, cryptocurrency exchanges, gaming platforms, game emulators, online gambling, web browsers, and multimedia apps.

Below are screenshots of a sampling of the spoofed download websites over the past 60 days:

Domain Registration Details

The majority of the domains identified had common domain registration details:

  • Registrar: WebNIC Support
  • Server Type: Nginx, Cloudflare, Golfe2
  • Nameserver Domains: hndnsv1[.]com, hndnsv2[.]com
  • SSL Duration: 90 days

Emails qingqing7896[@]outlook[.]com
tuyang111888[@]gmail[.]com
yangtu111222[@]outlook[.]com
ck0937064862[@]gmail[.]com
qq752014[@]proton[.]me
yangtu666888[@]outlook[.]com
8tfmy1emr[@]mozmail[.]com
a8ddos[@]gmail[.]com
jtxr15[@]163[.]com
6888758[@]gmail[.]com
Registrant Contact Phone tel:+852[.]6675163
tel:+852[.]66751631
tel:+852[.]63825598
tel:+852[.]65820038
85263825598
tel:+852[.]85279504241
tel:+852[.]285451253
8526675163
Registrant Name wss dss
wangyiyi wangyiyi
caihua li
yi yi wang
wang yilu

The following heatmap shows the domain registration UTC timestamps for over 1000 domains from April 2024 to January 2025. The horizontal lines show the majority of the registrations occurred during the approximate working times 8 AM to 5 PM for China Time Zone and US East for comparison.

Domain registration times are not strong indicators of location as registrations can be done programmatically at any time. A heatmap of the registrations over time could be used to draw inferences on the normal operating times, volume and fluctuations of a threat group. One inference is that the actor commonly registers domains in bulk of 10 to 20 domains. Another is domain registrations continued steadily through recent US holidays of Thanksgiving, Christmas and New Years but made no new domain registrations from January 23 to February 8. The gap in domain registrations approximates to a week prior to and through Chinese New Year celebrations (January 29th - February 4th).

Based on a sampling of the 1200+ actor domains for domain registration costs, the cheapest registrations ranged from approximately $5 to $11 USD. Estimates based on these approximations suggest the actor may have spent over $6,000 in the past 10 months on domain registrations alone.

User Data Collection

Spoofed download websites were observed importing highly obfuscated JavaScript files. Their primary purpose appears to be to collect user data. Data is sent to one or more web analytic services. Primarily using Google Tag Manager (GTM), 51.LA and Baidu. A possible reason for using both a Chinese site analytics tracker and non-Chinese site analytic services is to improve data collection from users in and outside of China.

Typical data observed being collected:

Data collected include the following information about users in addition to setting cookies to potentially allow the tracking of users more long-term tracking across different websites.

  • IP addresses.
  • Browser type and version.
  • Operating system.
  • Screen resolution.
  • Referring website.
  • Pages visited and time spent on each page.
  • Geographic location (based on IP address).

Some websites were observed loading a js-sdk-recorder.min.js file and may attempt to screen record the browser session.

User browser data is collected and checks are performed to include looking for specific browser types and operating system.

The following are trackers extracted from the spoofed download sites and are suspected to be associated with the actor.


Google Tag Managers (GTM-)		 GTM-5P954SP
GTM-MG73JRC
GTM-T9RSM2B
GTM-5XB9N2J
GTM-WX6RDCT
GTM-KPB2L23
GTM-PBZC932

Google Analytics (G-)		 G-2517DCZEWG
G-5LJSE1G1G3
G-37ZJLQFQXW
G-BFW850DB5X

Google Analytics (UA-)
UA-18527314
Facebook 3440778589358687
2798670340360754
2074369089413155
Baidu 9219f302f4d003586fce1a5e683324f9
749a9b99a1c14a45712efed8c3b8fedd
cfce2b91900d6b26eacc4548cf269142
d4d1ee73c893371d6f711041bf64786f
3e8f2b2bdf2da00ce0564d6c6ef21b48
15a9e7243ee6e6441ab262ba4db61e8b
39f7c9431fdd7a3d6e06a177938de82a


SEO Poisoning and Traffic Generation

Creating thousands of websites and using SEO tactics could be aimed at increasing the site’s search ranking to appear higher in search results than legitimate sources. This can drive traffic to other malicious sites.

Fake Login Dashboards to Deliver Malware

The actor employs several websites themed as merchant backend management dashboards, payment services, crypto exchanges, email, and office applications. It is suspected that links to the fake login sites are distributed via phishing and similar means with the credentials shared to recipients. A mix of English and Chinese language use on the fake login websites and a common theme of merchant and payment backend management applications suggests the actor may be targeting English speaking individuals doing business in China.

Website Title: “Login | Upcube - Admin & Dashboard Template”

UPCUBE 商户后台管理 (“Merchant backend management”)

The sites were observed hard coding the credential validation checks in the HTML login forms such as the following example seen from malicious domain: “otpaycn[.]com”.

Upon Logging into the fake Merchant Backend Dashboard, the following index page is loaded. 

The only functional element is the Home Page at the top of the left panel. Clicking the Home Page loads an image in the center of the page that presents itself as a warning banner with a “Confirm” button. Clicking anywhere on the image initiates a download for a malicious dropper file that upon execution runs ValleyRAT on the system and downloads several modules from an Amazon S3 bucket providing additional functionality.

The image roughly translates to the following:

“VPN Usage Reminder Network connection failed, please use the dedicated network VPN It has been detected that your browser is missing the necessary VPN plug-in. Some functions cannot be used normally. Please update this function version first; if you choose to stop updating, you will not be able to use this function normally. What are the risks and how should I choose Confirm.”


Delivery Domain
otpaycn[.]com
Malware Download URL
https[:]//down[.]aydareklam[.]com/anacard.zip

Initial Download
7aa74fc5d5f1c356229fa83cd4330f8bfd1b640e09b897602382557fbeefd5ea anacard.zip
Unzips to 5f39c5fc10130916e3b67e617979eb22febccc274a88af7a43e21cc5311d3f20 anacard.exe
ValleyRAT dropped by anacard.exe
5cd549ca7b5a046afa1f9ddb679dbf04e8879307d2dd813c7d44d00525ab8638
Downloads https[:]//omnisentience[.]s3[.]ap-east-1[.]amazonaws[.]com/MSVCP140[.]dll
https[:]//omnisentience[.]s3[.]ap-east-1[.]amazonaws[.]com/xzc[.]exe
https[:]//omnisentience[.]s3[.]ap-east-1[.]amazonaws[.]com/vcruntime140_1[.]dll
https[:]//omnisentience[.]s3[.]ap-east-1[.]amazonaws[.]com/data[.]ini
https[:]//omnisentience[.]s3[.]ap-east-1[.]amazonaws[.]com/view[.]res
https[:]//omnisentience[.]s3[.]ap-east-1[.]amazonaws[.]com/VCRUNTIME140[.]dll
https[:]//omnisentience[.]s3[.]ap-east-1[.]amazonaws[.]com/libcef[.]dll
9b5957e7d9bf0863fc7247df9ea02deac6f1b1a22fc7b9d4dfd89f41f27a400e  data.ini
0003417d1ba6370aab194d2bab97e709bbf1d8efbf60d02a1c96117a2e7a7e3d  libcef.dll
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd  MSVCP140.dll
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e  vcruntime140_1.dll
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8  VCRUNTIME140.dll
f63894af1b84fca6d2cb2732e0cf31d1523d6949edd4738c63663957d46dadae  view.res
7d14ba4da535892e469ca66c1f749bab553c2f9af04eb978d5200431a2f01435  xzc.exe


Malware

Notably, both clusters 1 and 2 were observed delivering identical Gh0stRAT and ValleyRAT binaries. Cluster 2 operates multiple varieties of spoofed website code, which often appear to utilize highly obfuscated JavaScript to collect user information and potentially selectively render functional malware delivery links. The majority of the websites were observed delivering 0-byte files, and less commonly copies of legitimate install files hosted locally on the site. A subset of the spoofed download sites were observed hosting identical Gh0stRat and ValleyRAT binaries as cluster 1 including “googleochrome[.]com” discussed in more depth later.

The 0-byte files are suspected to be placeholders, with real malware being delivered through obfuscated JavaScript dynamically loaded when certain user conditions are identified such as Geo IP location, language settings and browser type.

Earlier versions of the spoofed download sites appeared to typically host malware locally on the same spoofed website server. Later spoofed download sites began hosting files on other servers, commonly using other actor owned domains and often with subdomains “cnd.” or “down.”

More recent spoofed download sites continue to separate the spoofed websites from the hosted files by using Amazon’s CloudFront content delivery network such as the following: 

  • Spoofed download sites for Lets VPN: “letscavpn[.]com” & “letsekvpn[.]com”
  • Download URL: “https[:]//d2g2a3g6fn6aza.cloudfront[.]net/android/letsvpn-latest[.]apk”

Using CDNs such as CloudFront as a delivery network can obscure the true origin location of the malware and make detection and mitigation efforts more difficult. 

C2 Infrastructure

Identified multiple samples of suspected Gh0stRat backdoors being hosted from the spoofed download websites as having Command & Control (C2) to IP addresses. Multiple IP addresses shared the same server scan hash allowing a potential pivot to other IP addresses configured by the actor.

Malware delivery domain “googleochrome[.]com” spoofs as a Chrome browser download site and contains code to load content from a similarly named but different domain: “https[:]//down.googluchrome[.]com”

This initiates a file download for a file named “/Chrome.zip” with a SHA256 hash of “09efbe0c3e69c0f9a578bbbf0d475bd418497717921713779d1aa89dd2be35d6” 

Chrome.zip unzips a file named “Chrome.msi” with a SHA256 hash of “e39e44cb79c5b1918d8139cfbb6d2ada044dbe4b413e86504f10e902072743fd”

Chrome.msi contains a file named “payload”, 522863520bcc368631a2db5016a1af68f60ecb074ddf19c9e7bff9834bb05248

The payload file upon execution calls out to the following IP:

  • TCP 154.91.90[.]102:4433
  • TCP 154.91.90[.]102:10443

At the time of observed use, the IP hosted a WinRM service with a Shodan.io hash of “%3A897366806”. 145 IPs shared this hash and nearly all are under Tcloudnet, Inc organization. 

Triaging the IPs identified several have a recent history of malicious files communicating with them from similar variants.

154[.]82[.]85[.]79
206[.]238[.]115[.]153
154[.]82[.]85[.]14
156[.]251[.]24[.]167
156[.]248[.]77[.]177
206[.]238[.]115[.]38
154[.]82[.]92[.]231
156[.]251[.]18[.]26
206[.]238[.]221[.]10
206[.]238[.]115[.]132
156[.]251[.]25[.]187
206[.]238[.]123[.]166
154[.]91[.]64[.]50
206[.]238[.]198[.]133
154[.]91[.]64[.]75
206[.]238[.]42[.]223
206[.]238[.]70[.]202
206[.]238[.]115[.]203
154[.]82[.]67[.]135

Conclusion

A crucial aspect of this investigation lies in recognizing the broader implications of the observed tactics. History has repeatedly demonstrated that techniques initially deployed against one demographic or vertical are often adapted and repurposed to target others. While this campaign appears to currently focus on Chinese-speaking users, the sophisticated methods employed—including obfuscated JavaScript, strategic use of analytics services, and evolving infrastructure for malware delivery and data collection—represent a readily transferable playbook. Therefore, diligent monitoring and analysis of these tactics are not merely relevant to the current situation.

By proactively studying and understanding these techniques now, the cybersecurity community can better prepare for similar threats that may emerge, targeting different demographics and potentially posing a direct risk to a wider range of users in the future. This proactive approach is essential for developing effective defenses and mitigating the impact of future, related campaigns.

IOCs

Domains
letstxvpn[.]com
letsthvpn[.]com
letstvvpn[.]com
letstevpn[.]com
letstavpn[.]com
letstzvpn[.]com
letstnvpn[.]com
letstdvpn[.]com
letstuvpn[.]com
letstkvpn[.]com
otpaycn[.]com
okpaykol[.]com
todeskzsada[.]top
letscavpn[.]com
letsczvpn[.]com
letscnvpn[.]com
letscuvpn[.]com
letscxvpn[.]com
letscsvpn[.]com
letsckvpn[.]com
letschvpn[.]com
letscevpn[.]com
letscovpn[.]com
lestscvpn[.]com
lestsevpn[.]com
lestskvpn[.]com
lestsvvpn[.]com
lestsovpn[.]com
lestsxvpn[.]com
lestsuvpn[.]com
lestszvpn[.]com
lestsnvpn[.]com
lestsavpn[.]com
googleechrome[.]com
quickqzx[.]com
quickqzs[.]com
quickqzc[.]com
quickqzn[.]com
quickqza[.]com
quickqzk[.]com
quickqzv[.]com
quickqzo[.]com
quickqzu[.]com
quickqze[.]com
googlerchrome[.]com
googlecchrome[.]com
googleschrome[.]com
googlevchrome[.]com
googlezchrome[.]com
googlenchrome[.]com
googleachrome[.]com
googletchrome[.]com
googlexchrome[.]com
googleofanyi[.]com
googleochrome[.]com
letsrsvpn[.]com
letsravpn[.]com
letsrevpn[.]com
letsrnvpn[.]com
letsrzvpn[.]com
letsrxvpn[.]com
letsrvvpn[.]com
letsrkvpn[.]com
letsruvpn[.]com
letsrovpn[.]com
letselvpn[.]com
letsebvpn[.]com
letsevvpn[.]com
letsepvpn[.]com
letsenvpn[.]com
letsehvpn[.]com
letseovpn[.]com
letseuvpn[.]com
letsetvpn[.]com
letsekvpn[.]com
letskkvpn[.]com
quickqcs[.]com
quickqcx[.]com
quickqcz[.]com
letskrvpn[.]com
letskwvpn[.]com
letsksvpn[.]com
letskxvpn[.]com
letskpvpn[.]com
letskzvpn[.]com
letskivpn[.]com
letskuvpn[.]com
letsknvpn[.]com
letskvvpn[.]com
letskovpn[.]com
clashxh[.]com
clasheh[.]com
clashvh[.]com
letezvpn[.]com
letevvpn[.]com
letexvpn[.]com
googlofanyi[.]com
letescvpn[.]com
clashuh[.]com
letecvpn[.]com
clashch[.]com
googluchrome[.]com
googlochrome[.]com
winrarzip[.]com
ldplayerv[.]com
todesksc[.]com
wpsofficerx[.]com
wpsofficera[.]com
wpsofficers[.]com
wpsofficere[.]com
wpsofficerc[.]com
wpsofficeru[.]com
wpsofficerz[.]com
wpsofficerv[.]com
wpsofficero[.]com
wpsofficern[.]com
letsecvpn[.]com
letsexvpn[.]com
letsesvpn[.]com
letseavpn[.]com
letsezvpn[.]com
letsaevpn[.]com
letsacvpn[.]com
letsazvpn[.]com
letsavvpn[.]com
letsaxvpn[.]com
xhjianvpns[.]com
xhjianvpnx[.]com
xhjianvpnz[.]com
kuaimiaospn[.]com
kuaimiaoapn[.]com
kuaimiaoxpn[.]com
kuaimiaocpn[.]com
kuaimiaozpn[.]com
xhjianzpn[.]com
clashxa[.]com
xhjiancpn[.]com
clashxc[.]com
kuaichengz[.]com
kuaichengx[.]com
clashsx[.]com
linecu[.]com
linecf[.]com
clashsc[.]com
linecz[.]com
clashsz[.]com
wpsoffica[.]com
wpsofficc[.]com
wpsofficx[.]com
wpsoffico[.]com
wpsofficu[.]com
wpsofficv[.]com
wpsofficn[.]com
wpsofficb[.]com
wpsofficz[.]com
wpsofficw[.]com
ldplayers[.]com
winrarr[.]com
todesksn[.]com
xhjianvqn[.]com
xhjianvpnc[.]com
todeskzx[.]xyz
xhjianzvpn[.]com
xhjiansvpn[.]com
kuaichencx[.]com
kuaichencz[.]com
kuaichencs[.]com
xhjiannvpn[.]com
xhjianvnpn[.]com
xhjianavpn[.]com
xhjianevpn[.]com
xhjianxvpn[.]com
lestxvpn[.]com
lestvnpn[.]com
lestvwpn[.]com
lestnvpn[.]com
lesntvpn[.]com
lesetvpn[.]com
lestovpn[.]com
lesatvpn[.]com
lesstvpn[.]com
lestkvpn[.]com
xhjevpn[.]com
xhjvepn[.]com
wpsaoffice[.]com
wpsxoffice[.]com
wpscoffice[.]com
wpsooffice[.]com
wpsboffice[.]com
wpswoffice[.]com
wpsvoffice[.]com
wpsuoffice[.]com
wpsnoffice[.]com
wpszoffice[.]com
fallsearth[.]com
klimesh[.]com
rolandca[.]com
o-keil[.]com
yellowfiles[.]com
qmzdd[.]com
clashcx[.]com
clashcu[.]com
clashcv[.]com
cn-kuaifan[.]co
telegramxk[.]com
telegramxv[.]com
telegramxc[.]com
telegramxn[.]com
yiiwaiwai[.]com
telegram-zh[.]cn
xhjianvvpn[.]com
clashru[.]com
quicqkvv[.]com
quicqkvc[.]com
quicqkvn[.]com
quicqkva[.]com
quicqkve[.]com
meiqialx[.]com
meiqialz[.]com
meiqialc[.]com
meiqiale[.]com
meiqiala[.]com
nxhszx[.]com
clashxv[.]com
clashxz[.]com
clashxn[.]com
helloworldra[.]com
letssvbn[.]com
meiqiarrc[.]com
helloworldrc[.]com
letssvrn[.]com
meiqiarrv[.]com
clashvn[.]com
letssvqn[.]com
clashvx[.]com
meiqiarra[.]com
helloworldre[.]com
meiqiarrx[.]com
meiqiarre[.]com
tpidesign[.]com
meiqiacs[.]com
meiqiacx[.]com
meiqiacv[.]com
meiqiaci[.]com
meiqiacc[.]com
meiqiaco[.]com
meiqiaca[.]com
meiqiacr[.]com
meiqiace[.]com
meiqiacu[.]com
sougousruf[.]com
sougousrfo[.]com
sougoushrf[.]com
sougousrfa[.]com
sougousrfx[.]com
sougousrfn[.]com
sougousrfe[.]com
sougousrfu[.]com
sougousrfz[.]com
sougousrfc[.]com
360browseeu[.]com
360browseeo[.]com
360browseen[.]com
360browseeb[.]com
360browseev[.]com
360browseea[.]com
360browseet[.]com
360browseer[.]com
360browseex[.]com
360browseei[.]com
linebx[.]com
linebh[.]com
linebbv[.]com
linebbh[.]com
linebn[.]com
linebbc[.]com
linebu[.]com
linebbe[.]com
linebbr[.]com
linebbx[.]com
potatolen[.]com
potatoler[.]com
potatolea[.]com
potatolex[.]com
potatolec[.]com
potatoleu[.]com
potatoleo[.]com
potatoleb[.]com
potatolek[.]com
potatolez[.]com
letsppnu[.]com
letsppnw[.]com
letsppna[.]com
letsppnh[.]com
letsppni[.]com
letsppnc[.]com
letsppnb[.]com
letsppne[.]com
letsppnr[.]com
letsppnk[.]com
kuaifanrg[.]com
kuaifanga[.]com
kuaifange[.]com
kuaifangn[.]com
kuaifanne[.]com
clashh88[.]com
clashvvh[.]com
clashhvv[.]com
xhjianapn[.]com
xhjianppn[.]com
xhjianvvv[.]com
xhjianvvn[.]com
xhjiangvpn[.]com
potatua[.]com
potatun[.]com
potatue[.]com
potatuc[.]com
potatuo[.]com
clashcnm[.]com
clashcdn[.]com
clashchn[.]com
clashcnn[.]com
clashccn[.]com
clashrrn[.]com
clashrrv[.]com
clashrrs[.]com
clashhes[.]com
clashheu[.]com
clashhea[.]com
clashhew[.]com
clashhee[.]com
clashha[.]com
clashhr[.]com
clashhu[.]com
clashhe[.]com
clashho[.]com
letsvpnmna[.]com
letsvpnmnc[.]com
letsvpnmnb[.]com
letsvpnmnd[.]com
letsvpnmng[.]com
letsvpnmne[.]com
letsvpnmnf[.]com
letsvpnmnh[.]com
letsvpnmno[.]com
letsvpnmnk[.]com
letskbvpn[.]com
letskcvpn[.]com
letskavpn[.]com
letskhvpn[.]com
letskfvpn[.]com
letskkpn[.]com
letskgvpn[.]com
letskdvpn[.]com
letskevpn[.]com
letsktvpn[.]com
imtekkon[.]com
artklick[.]com
gpm-sprinklers[.]com
ratuiklan[.]com
frkls[.]com
davidtickle[.]com
forkling[.]com
backlinkskopen[.]com
kleinoaktrack[.]com
klinik-hp[.]com
lestvvmn[.]com
lestvvmnm[.]com
lestvvnm[.]com
lestvvnnm[.]com
lestvvnmm[.]com
letsvvvvpn[.]com
letswvvvpn[.]com
kuaicheum[.]com
kuaicheim[.]com
kuaichecm[.]com
kuaicheam[.]com
lestvvkpn[.]com
kuaicheem[.]com
lestvvwpn[.]com
lestvvopn[.]com
lestvvupn[.]com
lestvvspn[.]com
aydareklam[.]com
meiqiakefu[.]net
clashrra[.]com
clasheea[.]com
clasheec[.]com
clashees[.]com
clashrrc[.]com
clashrre[.]com
clashttb[.]com
clashtta[.]com
clashttc[.]com
chrome65[.]com
tor-browser[.]cn
tor-project[.]cn
lizengzhi[.]com
kuailianvpnxiazai[.]com
quickqqf[.]com
quickqqi[.]com
quickqqc[.]com
quickqqa[.]com
quickqqb[.]com
quickqqe[.]com
quickqqd[.]com
quickqqj[.]com
quickqqg[.]com
quickqqh[.]com
teleggrammm[.]com
telgeraam[.]com
telgerram[.]com
telgegamm[.]com
telgeranm[.]com
lestvvdpn[.]com
lestvvbpn[.]com
lestvvfpn[.]com
lestvvipn[.]com
lestvvapn[.]com
lestvvcpn[.]com
lestvvgpn[.]com
lestvvepn[.]com
lestvvhpn[.]com
lestvvjpn[.]com
zuqiujingcai[.]cn
teleggaream[.]com
quiqcke[.]com
quiqckc[.]com
quiqcka[.]com
hdktqj[.]cn
hdltdn[.]cn
zh-electrum[.]cn
hfgtpk[.]cn
hlrtfh[.]cn
torbrowser[.]cn
weidaoyou[.]com
title9guy[.]com
zhasang[.]com
dongchuo[.]com
cnmoldmaker[.]com
sddiankeshipin[.]com
clashesm[.]com
clashesn[.]com
clashesd[.]com
quicqker[.]com
quicqkor[.]com
quicqkir[.]com
xiaojiedai[.]com
buylevitrawww[.]com
torproject[.]cn
travel-reviews[.]com
laserdistance[.]com
telegramtcn[.]com
shangpingou[.]com
naxjx[.]com
51lingsheng[.]com
zglian[.]com
tiaojuan[.]com
fywjfang[.]com
ajktzx[.]com
qiasan[.]com
ruihejia[.]com
scyadina[.]com
threadsfind[.]com
yoondao[.]com
yooadao[.]com
youodao[.]com
yaoodao[.]com
youadao[.]com
ggvxlqxk[.]com
rgrvemni[.]com
ruqshjpb[.]com
agydlevy[.]com
urmfirxr[.]com
akozjqjj[.]com
rtoroyua[.]com
deknfmtp[.]com
nfbfeyab[.]com
bbctgkor[.]com
wckzzcln[.]com
vnfmuydn[.]com
xnlnvsnm[.]com
jtscvdnh[.]com
tesrjfqi[.]com
lkcbugrh[.]com
wjywyfht[.]com
vtgeaqvs[.]com
nugepfia[.]com
izvfarqf[.]com
kuaichenn[.]com
kuaichenng[.]com
kuaichemn[.]com
kuaichemm[.]com
kuaichenm[.]com
letsvuvpn[.]com
letsvvvpm[.]com
letsuuvpn[.]com
letsuvvpn[.]com
letsvvvvn[.]com
letszxcvpn[.]com
letsvwvpn[.]com
letsvvvnn[.]com
letsvvvpp[.]com
letsvvvpn[.]com
kuaivvnp[.]com
kuaivnnn[.]com
kuaivppp[.]com
kuaivppnn[.]com
kuaivppn[.]com
kuaivvvvn[.]com
kuaivvnnn[.]com
kuaivwvpn[.]com
kuaivvvpn[.]com
kuaivvvnn[.]com
vpn6[.]cn
whasapp[.]cn
saphagonapps[.]com
letsboppn[.]com
xhj-vpn[.]cn
oy311[.]cn
calshrrh[.]com
calshiiuh[.]com
calshunh[.]com
calshooih[.]com
calshuuh[.]com
calshdhh[.]com
calshhhh[.]com
xhjianvpn[.]com
calshrhh[.]com
xhjvvnpn[.]com
xhjivnvpn[.]com
xhjvvvpn[.]com
kuaicechen[.]com
xhjvwvpn[.]com
clashrsh[.]com
clashesh[.]com
kuaicachen[.]com
klysensor[.]com
sallypickles[.]com
seoiklan[.]com
taklogo[.]com
cbtinbrooklyn[.]com
beklegeliyorum[.]com
chacaraklabin[.]com
reklamagoogle[.]com
michaelklapper[.]com
tahtabisiklet[.]com
web-chrome[.]cn
telgegrame[.]com
quickloans4u[.]com
nepalklubben[.]com
shopfigbrooklyn[.]com
sdmkloire[.]com
nklandscaping[.]com
rocketbacklink[.]com
yesildagnakliyat[.]com
klubdj[.]com
weeklygamejam[.]com
emilyklinepianostudio[.]com
telegrgerm[.]com
letsvvpsv[.]com
telegrmerm[.]com
telegramrm[.]com
telegrxerm[.]com
telegrzerm[.]com
letsvvvsp[.]com
letsvppsn[.]com
letsvppsv[.]com
letsgotrain[.]com
telegroeem[.]com
telegroerm[.]com
telegroetm[.]com
telegroeum[.]com
telegroeom[.]com
telegroenm[.]com
oeokx[.]cn
telegramo[.]cn
telegraaem[.]com
telegraeam[.]com
telegracem[.]com
telegraerm[.]com
telegraenm[.]com
goolgechorme[.]com
gate-zh[.]cn
zh-gateio[.]cn
shdlukj[.]cn
kuaicchen[.]com
kaichenm[.]com
kuaichem[.]com
clashhn[.]com
clashsh[.]com
clsashh[.]com
baiijing[.]com
baijjing[.]com
baijingm[.]com
hellowold95[.]com
hellowold99[.]com
letsvvmp[.]com
letsnmpn[.]com
letsevvmp[.]com
letsvvppm[.]com
letseppn[.]com
letsppnn[.]com
levvvnnp[.]com
lsteppnn[.]com
letsvvvn[.]com
letspppn[.]com
letsvbnn[.]com
letspnvv[.]com
letsppnm[.]com
lesvvvpn[.]com
letsvppm[.]com
lestesvpn[.]com
letswpm[.]com
lesttvpn[.]com
lestepm[.]com
letsvvnn[.]com
zhchrome[.]cn
chromem[.]cn
chromecn[.]cn
letsviipn[.]com
reefhoteleilat[.]com
listgdp[.]com
saklimdasin[.]com
linkleech[.]net
kristalklaket[.]com
huikuaiche[.]com
mgintech[.]com
deeplyu[.]com
deeplqw[.]com
deeplwe[.]com
deeplty[.]com
deeplrt[.]com
deepseasecurity[.]com
mdeeb[.]com
deepdivedivingcenter[.]com
hellowold888[.]com
hellowold999[.]com
hellowold555[.]com
hellowold666[.]com
michelletuckerinternational[.]com
hellowold222[.]com
hekourenjia[.]com
valueshells[.]com
hellhathno[.]com
revsmarttech[.]com
deepwaterworship[.]com
hellarise[.]com
deepbass[.]net
hbklnb[.]com
backlinkmate[.]com
laurenmerkley[.]com
electrologyoklahoma[.]com
iklanutama[.]com
3klangrecords[.]com
tickletickletickle[.]com
omaha4g[.]com
pendikliler[.]com
healthbiweekly[.]com
swapbuckler[.]com
savporno[.]com
klinespeak[.]com
sidhivpharma[.]com
mgssys[.]com
52diaocha[.]com
telgearam[.]com
wpscee[.]com
yoodaofy[.]com
wahapps[.]com
wahastapp[.]com
okwallet[.]cn
sh-chrome[.]com
jordanwalker[.]net
silkypearl[.]com
fmnorfolk[.]com
volkcaravellethailand[.]com
telegasram[.]com
telegxzram[.]com
telegxcram[.]com
telegvcram[.]com
quiacqk[.]com
telegzxram[.]com
clashnn[.]com
quisckq[.]com
quixcqk[.]com
clashcs[.]com
pickledproductions[.]com
karyaiklan[.]com
exklusive-artikel[.]com
attacklive[.]com
catherinekluge[.]com
klipspringerhouse[.]com
davessprinklerrepair[.]com
hoteltaipa[.]com
nemalababaklopoty[.]com
falkenbergsrasfjaderfaklubb[.]com
feixiahao[.]com
aiconzh[.]com
damaiwang08[.]cn
ssrsvpn[.]com
execvpn[.]net
evevpn[.]com
letsmmvpn[.]com
quiqqkc[.]com
chromegglcn[.]com
quiqqck[.]com
quiccqk[.]com
telggearm[.]com
quikkcq[.]com
tellgegarm[.]com
quicqkq[.]com
ladenvpn[.]com
quikkqc[.]com
xhjvvpn[.]com
chromeglcn[.]com
telgegearm[.]com
chromegcn[.]com
signnnal[.]com
quiicqk[.]com
quiackq[.]com
skypeexe[.]com
telggearam[.]com
signnaal[.]com
signnaall[.]com
chromegcnh[.]com
quiecqk[.]com
teelgearm[.]com
chromeggch[.]com
skypenc[.]com
tellgeram[.]com
tellggearm[.]com
quiscqk[.]com
quiqcqk[.]com
guanfangkuailian[.]org
hfdthw[.]cn
hgltmn[.]cn
hscwlr[.]cn
dibzls[.]cn
zh-tradingview[.]cn
hlxtts[.]cn
dusku[.]online
zh-google[.]cn
ydao24[.]pro
yiwaiwai4[.]pro
guanfangkuailian[.]com
eyy13585[.]vip
tyuj234[.]xyz
imtiokon[.]com
imteikon[.]com
imtoikon[.]com
helloworld688[.]com
goagchrome[.]com
eyy8520[.]com
yooodao[.]com
okpaykol[.]com
kuailianletsvpn[.]org
imteeken[.]com
letspovpn[.]com
eyy2550[.]com
eyy2555[.]com
letsnmvpn[.]com
letssdvpn[.]com
letsvbvpn[.]com
letshjvpn[.]com
letsdfvpn[.]com
letscvvpn[.]com
letsxcvpn[.]com
letshkvpn[.]com
letsbmvpn[.]com
letsfgvpn[.]com
letsghvpn[.]com
letsahvpn[.]com
kuailian14[.]com
kuailian18[.]com
kuailian15[.]com
kuailian12[.]com
kuailian13[.]com
letsqwvpn[.]com
letstyvpn[.]com
kuailian17[.]com
kuailian16[.]com
letsrtvpn[.]com
letsuivpn[.]com
letswevpn[.]com
lets333vpn[.]com
kuailianvpn333[.]com
lets222vpn[.]com
lets999vpn[.]com
lets444vpn[.]com
lets666vpn[.]com
lets888vpn[.]com
lets777vpn[.]com
lets555vpn[.]com
kuailianvpn444[.]com
lets111vpn[.]com
kuailianvpn777[.]com
kuailianvpn1111[.]com
lets000vpn[.]com
kuailianvpn888[.]com
kuailianvpn2222[.]com
kuailianvpn555[.]com
kuailianvpn999[.]com
kuailianvpn666[.]com
kuailianvpn000[.]com
letsvpnop[.]com
letsvpner[.]com
letsvpnty[.]com
letsvpnio[.]com
letsvpnrt[.]com
letsvpnwwe[.]com
letsvpnqw[.]com
letsvpnyu[.]com
letsvpnui[.]com
letsvpnpa[.]com
letsvpn[.]lat
kuailian003[.]com
kuailian006[.]com
kuailian002[.]com
kuai04vpn[.]com
lets01vpn[.]com
kuailian004[.]com
lets02vpn[.]com
kuailian005[.]com
lets03vpn[.]com
lets04vpn[.]com
lets05vpn[.]com
kuai02vpn[.]com
kuai03vpn[.]com
kuai01vpn[.]com
kuai05vpn[.]com
irawc[.]cn
eyyej[.]cn
xrvdj[.]cn
vqxgs[.]cn
kuai3lian[.]com
kuai2lian[.]com
kuai1lian[.]com
kuai4lian[.]com
kuai5lian[.]com
lets11vpn[.]com
lets22vpn[.]com
lets33vpn[.]com
lets55vpn[.]com
lets44vpn[.]com
uxepr[.]cn
bzcrh[.]cn
iehpj[.]cn
zirhs[.]cn
pehby[.]cn
ibwtr[.]cn
eiqip[.]cn
ojply[.]cn
vglzd[.]cn
zuwlf[.]cn
vymip[.]cn
ozunv[.]cn
euaij[.]cn
azedg[.]cn
jqizv[.]cn
jvspq[.]cn
cibnj[.]cn
zfdfo[.]cn
kuaivpn777[.]com
kuaivpn666[.]com
kuaivpn999[.]com
letsvpn222[.]com
kuailian777[.]com
kuaivpn1[.]com
kuailian88[.]com
kuailian999[.]com
letsvpn444[.]com
letsvpn333[.]com
letsvpn555[.]com
kuailian668[.]com
kuaivpn555[.]com
kuaivpn4[.]com
letsvpn111[.]com
kuaivpn2[.]com
kuaivpn3[.]com
kuaivpn5[.]com
kuaivpn888[.]com
kuailian555[.]com
vkksc[.]cn
fliia[.]cn
fpewl[.]cn
kglbt[.]cn
sunraes[.]top
dfrub[.]cn
eatcg[.]cn
efcbh[.]cn
yxdxu[.]cn
unbcp[.]cn
vqbda[.]cn
nvlow[.]cn
steih[.]cn
azwmp[.]cn
letsppvv[.]com
letsnnn[.]com
letsddd[.]com
kuailian55[.]com
letsvvvv[.]com
kuailian44[.]com
letsllp[.]com
kuailian66[.]com
kuailian33[.]com
kuailian11[.]com
letsddvpn[.]com
letsggvpn[.]com
letsffvpn[.]com
letsiivpn[.]com
interparklogistics[.]com
66fj5[.]xyz
93va5[.]xyz
88nf1[.]xyz
44jw2[.]xyz
62ht6[.]xyz
18js8[.]xyz
letsvpncn[.]com
eyy258[.]com
chromegooch[.]com
fanyiyodao[.]com
telgearm[.]com
gmailgoole[.]com
wpssss[.]com
letsvpnnv[.]com
finalshell[.]cn
wpseee[.]com
letsrrvpn[.]com
letsllvpn[.]com
letshhvpn[.]com
qiuckqc[.]com
qiucqk[.]com
qiuqck[.]com
aisii4[.]com
todssk[.]com
todseks[.]com
todkes[.]com
imtuken[.]com
24gx6[.]xyz
44mu8[.]xyz
eyydowgm[.]com
eyydowm[.]com
eyykowm[.]com
eyydowz[.]com
eyydowr[.]top
xingcaiyinlong[.]com
zghjxh168[.]com
faribu[.]com
msklb[.]com
boatdeepcreeklake[.]com
keyklaw[.]com
kloewoman[.]com
shmingtao[.]com
fanshu8[.]net
zgfzzc[.]net
yuwtrde[.]buzz
eyydowom[.]xyz
eyydowi[.]xyz
zahjeaw[.]top
fazmake[.]top
nzaraw[.]top
znmakaf[.]top
makwtga[.]top
kznarfs[.]top
abwradk[.]top
zakermur[.]top
nahrewa[.]top
shazamr[.]top
nkawzae[.]top
letservpn[.]com
letsstvpn[.]com
letsbnvpn[.]com
letsvmvpn[.]com
letwwvpn[.]com
letstsvpn[.]com
letsvnvpn[.]com
acu97[.]cn
letszxvpn[.]com
awnliua[.]top
letsasvpn[.]com
hbgad[.]cn
letsssvpn[.]com
letsccvpn[.]com
letsaavpn[.]com
qdpmo[.]cn
udnucloud[.]com
letsbbvpn[.]com
letseevpn[.]com
letsttvpn[.]com
letsvpnpm[.]com
letsvpnvn[.]com
tokonim[.]com
fkaoq[.]top
fkooq[.]top
fkwoq[.]top
telegrm[.]cn
eyy255[.]com
eyy205[.]com
chromeggad[.]com
letsgvp[.]com
letsvvvnp[.]com
letsppvpn[.]com
kuailianwpn[.]com
letesvvpn[.]com
kuailianppvn[.]com
letsnnpvn[.]com
kuaivnp[.]com
letppvpn[.]com
letyyvpn[.]com
letfvvpn[.]com
letovvpn[.]com
letszvvpn[.]com
letxvvpn[.]com
letlvvpn[.]com
chromegoggl[.]com
0ray[.]cn
imtokonm[.]com
imtokom[.]com
letsvpnb[.]com
letsvpna[.]com
teiegrm[.]cn
buleyy[.]buzz
sineyy[.]buzz
mitucka[.]com
cheapchom[.]xyz
letsvpn[.]cn
letsvpne[.]com
lsetvvpn[.]com
ccbb122[.]com
kuaifanguanfang[.]org
kuaifanguanfang[.]com
kuaifangf[.]com
kuaifanguanwang[.]com
afdesede[.]xyz
hoipq[.]cn
cgdqg[.]cn
oevcb[.]cn
yukkm[.]cn
fbsen[.]cn
golchrome[.]com
vpupi[.]cn
utfpi[.]cn
zxywe[.]cn
tfewr[.]cn
wfekj[.]cn
qiecre[.]live
qvokj[.]cn
wuskj[.]cn
meiqianen[.]buzz
zyzmg[.]cn
meiqiapp[.]icu
kwjee[.]cn
ghdmxti[.]cn
dldvjf[.]cn
affeyy[.]buzz
nsebuy[.]cn
meicia[.]com
lstenvp[.]com
lsetpvn[.]com
lesttpn[.]com
lestgvpn[.]com
dianbaotg[.]store
letesvnp[.]com
speedsvpn[.]com
thzxmr[.]cn
letrpvn[.]com
lestnvp[.]com
lestpvn[.]com
todsek[.]com
todesks[.]com
letsgpn[.]com
marmeiq[.]xyz
qiemeato[.]com
meitoqia[.]app
winnrayr[.]top
yyaa9[.]buzz
yyaa7[.]buzz
letmvpn[.]com
yiwaiwaicselw[.]icu
meiqianc[.]buzz
kuailiao[.]org
yourman[.]mom
iefbp[.]cn
eyynly[.]xyz
meiqia[.]store
letspvn[.]com
lestcpn[.]com
jhtbj[.]mom
ghdhj[.]mom
hredhb[.]mom
sddjkg[.]mom
fhrtdh[.]mom
dgrghn[.]mom
shabdus[.]com
gjfkjgri[.]mom
lettsvpn[.]com
starlinkvpn[.]cn
miqialt[.]com
nejiwks[.]com
levtspn[.]com
womil[.]cn
letlvpn[.]com
kuailian[.]tv
mtrangqia[.]com
meiiqa[.]com
fkgds[.]com
uuu78[.]cn
xbshangcheng[.]vip
chgools[.]xyz
grhd[.]xyz
yww92[.]buzz
letsppn[.]com
meiqal[.]com
mieiarqia[.]com
weimqaia[.]xyz
kuailianguanfang[.]org
latsvpn[.]com
letovpn[.]com
meimq[.]cyou
letrvpn[.]com
letgvpn[.]com
vpn234[.]com
kuikell[.]com
letxvpn[.]com
letavpn[.]com
eyy252[.]com
kuai10[.]com
meiqea[.]com
kuailiat[.]xyz
letzvpn[.]com
fastsvpn[.]com
checkaso09[.]com
checkaso04[.]com
checkaso01[.]com
checkaso6[.]com
letshvpn[.]com
eyye[.]club
huwnag[.]com
eeeym[.]com
web3-corgi[.]world
meiqla[.]com
shanjiabao[.]top
meiqai[.]com
eyy66[.]com
uduncloud[.]icu
hellowold88[.]com
vip5005[.]com
okxym[.]com
letspn[.]com
lettvpn[.]com
whsatsapp[.]top
whasasapp[.]top
dyks68[.]com
letsxvpn[.]com
meiqiaapp[.]com
wahtsaipp[.]com
whasitsapp[.]com
siengl[.]com
kuailian[.]website
eyyche[.]buzz
letvspn[.]com
letsmvpn[.]com
whats-sapp[.]com
getmonero[.]net[.]cn
letsvpn[.]win
xhonghua[.]cn
xiaohongh[.]com
hppayplop[.]com
hppayolap[.]com
www[.]upc-ube[.]com
upcube[.]cc

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CNMalwareDelivery-Pt2

Related Content

Research
THE KNOWNSEC LEAK: Yet Another Leak of China’s Contractor-Driven Cyber-Espionage Ecosystem

Leaked Knownsec documents reveal China’s cyberespionage ecosystem. Analyze TargetDB, GhostX, and 404 Lab’s role in global reconnaissance and critical infrastructure targeting.

Learn More
Research
The APT35 Dump Episode 4: Leaking The Backstage Pass To An Iranian Intelligence Operation

APT35/Charming Kitten's leaked documents expose the financial machinery behind state-sponsored hacking. Learn how bureaucracy, crypto micro-payments, and administrative ledgers sustain Iranian cyber operations and link them to Moses Staff.

Learn More
Research
Chinese Malware Delivery Domains Part IV

Chinese Malware Delivery Domains Part IV uncovers 1,900+ new sites targeting Chinese-speaking users. Get a deep dive into infrastructure, TTPs, and AI-powered threat analysis.

Learn More

Heading

SecuritySnacks
Research
Newsletters
Podcast Episodes
About
No items found.