Chinese Malware Delivery Websites
Malicious Browsers, Messengers, VPNs, and More…
Hundreds of newly registered domains are actively targeting Chinese-speaking users with malware. This report analyzes this activity, detailing the range of deceptive lures employed, including imitations of messengers, browsers, VPNs, email services, and Adobe software.
Details
Since at least June of 2024, a cluster of over four hundred domains have been registered to host spoofed websites to deliver malware to Chinese-speaking users. Spoofed application download websites have included web browsers, VPNs, chat and email applications, as well as crypto wallet and online gambling related apps. These websites share several commonalities in registration details, backend infrastructure, website configurations, and theme. The following is a sampling of those domains.
Identified malware families have included Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, RedLine and others.
Common registration details:
- IP ASN: Amazon, CloudFlare, Alibaba, CloudRadium
- Registrar: Dominet (HK) Limited, 22net, webcc, Gname
- Nameserver Domain: alidns[.]com, cloudflare[.]cp, hndnsv1[.]com
- IPs Resolved: 54.215.49[.]143 & 54.193.24[.]113
- SSL Duration: 90 day
Screenshot of malicious domain “chrmpw[.]top”, which spoofs as a GPT Chrome download application
Malicious domain kuailianlow[.]com, which spoofs as Kuailian Accelerator VPN (快连加速器)
Index.html
Both Download buttons contain an onclick=”down()” function call.
The down() function call is contained in a script within the HTML. Its purpose is to construct the file download path. To accomplish this it references a dictionary variable “window” to retrieve the value from the key “filename”.
The “filename.js” script is imported in the HTML and contains the window[‘filename’] value.
“Where there's one rat, there's a nest”
Expanding the search for similar websites and domain registration patterns identifies several spoofed VPN download websites.
Commonalities include the use of a filename.js to hold the malicious filename, and coding Chinese language text as opposed to the legitimate websites displaying content based on the language settings in the client’s browser settings. The latter suggests a preference for targeting Chinese language users.
Multiple spoofed VPNs such as LetsVPN appear in online guides as popular choices for bypassing the censorship of the Great Chinese Firewall.
- Possibly related: Gh0stGambit, drive-by-downloads targeting Chinese users https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat
A similar variation employs an additional imported JavaScript file to dynamically load the page content and button download actions.
Malicious domain, letscdn[.]world, which spoofs as LetsVPN
Excerpt from Index.html - File Download Buttons with href JavaScript function calls to onDownload()
Excerpt from Index.html - Importing “/assets/js/jquery.min.js” via script tags.
Excerpt from “/assets/js/jquery.min.js” - loads script “/assets/download/filename.js” and returns the download URL as “https[:]//” + “letscdn[.]world” + “/assets/download” + “letsvpn-latest.rar”
The value for the “window.filename” is contained in another imported JavaScript file: “/assets/download/filename.js”
Fake Login Pages Delivering Malware
Examples of fake login pages to deliver malware were also identified.
The following screenshot of malicious domains “xmengapp[.]top” and “xinmeng[.]xyz”, which spoof a company called Genting Trust Union, which is purportedly an enterprise management platform for businesses to engage customers, however no apparent legitimate company by the name was identified. It is suspected that this is a fabricated company and website to lure in prospective marketing and sales teams. The website purportedly offers several service and data integrator apps for marketing purposes but in fact only delivers trojans described below.
Included in the website’s imported JavaScript files is “/assets/js/ebzcecf9.js”, which contain login credentials for the website.
Logging into the application would load the following landing page:
 |
Notably, the top bar “cloudtop” is a download button for a suspected malicious file but returns a 404.
The main section (right) is a range of services and tools related to online marketing and lead generation such as driving traffic to websites, automating tasks, managing multiple accounts, managing phone numbers for telemarketing, integrating proxies, overseas payments, AI tools for content creation and the like.
 |
The left panel contains a page link for “User Management”.
 |
 |
Clicking the blue “Click verification” button shown in the screen capture above opens a pop up alert with the following message
"Detected that the bundled plugin is not installed. Please install and retry."
Clicking “OK”, opens a download prompt for the following .msi file. The msi file is bundled with multiple files including those that AV scanners tag as Gh0stRAT and Farfli trojans. A possible C2 was identified as “134.122.135[.]95”, which is a suspected ValleyRAT C2.
Associated malware, activity and methodologies appear to overlap closely with reporting by Knownsec 404 team and Fortinet of a suspected APT activity named “Silver Fox”.
Compendium of Chinese Malware Delivery Domains
The following are all examples of the spoofed websites for delivering malware utilized in this cluster of activity from at least June 2024 to January 2025. Example malware delivery domains and their respective malware download URLs and SHA256 hashes are provided as available for each example below. This listing is non-exhaustive of the variety of spoofed websites for delivering malware.
| Spoofs as QuickQ, a network accelerator and encrypted traffic tool. quickqi[.]net quickiq[.]top quickqi[.]net/assets/download/quicqk66.12.msi quickiq[.]top/assets/download/win32-quicq.msi 1a793de251bffb1edc309aa0b7fd02354c7c99d3cb1f24b3e0140d2015dc49a fe1b5431ae27c85b1c652e3ac9541c2a801540c02c04fa7f4a3a9543c284eca5 |
 |
| Spoofs as WhiteWhale VPN (白鲸加速器) isdndjsq[.]top isdndjsq[.]top/assets/download/win32-quicq.msi fe1b5431ae27c85b1c652e3ac9541c2a801540c02c04fa7f4a3a9543c284eca5 |
 |
| Spoofs as Yiwaiwai Customer Service Chat Assistant download purportedly for Chrome, QQ, WeChat, Quanniu, Pinduoduo, Doudian, and others. eyy5201[.]top https[:]//eyy5201[.]top/static/download/yiwaiwai66.31.msi fe86e1fff0afefd79de4fd26f041757495c5fadd116400699411a200978f0e41 |
 |
| Spoof as Lets VPN download sites letsvpn-ui[.]top kingtelmfng[.]top https[:]//letsvpn-ui[.]top/assets/download/letsvpn-latest.exe e09056567f146da73aa0c4266a15cd61655e4402146b75a836d1c92926cd37c4 |
 |
| Screenshot of malicious domain “z42f1m[.]top”, which spoofs as a Microsoft login page for Outlook but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer |
 |
| Screenshot of malicious domain “vejm60[.]top”, which spoofs as a Google mail login page but delivers the same malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46 a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796 Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer |
 |
| Screenshot of malicious domain “vzvlco[.]top”, which spoofs as a QQ mail login page but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer |
 |
| Screenshot of malicious domain “taufp6[.]top”, which spoofs as a 163 mail login page but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer |
 |
| Spoofs as AnyDesk remote desktop application. andesksr[.]com https[:]//andesksr[.]com/assets/download/anydeskx64-32.3.0.zip |
 |
| Spoofs as Yiji Pay, a financial payment application. yijfu[.]com https[:]//yijfu[.]com/assets/download/PassGuardSetuhz.exe |
 |
| Spoof of iTools for Windows, a tool used for managing Apple mobile devices. i4z[.]xyz |
 |
| Spoof of Huorong Internet Security website. Download links spoof as personal and enterprise security applications. huurongs[.]top huoroug[.]top |
 |
| Spoofs as a game download link for QQ. qqsgs[.]com |
 |
| Spoofs as Google Chrome download site. oogiie[.]top |
 |
| Spoofs as Youdao Dictionary software, a dictionary for translating text between Chinese and English and other languages. yoodaou[.]xyz https[:]//yoodaou[.]xyz/assets/download/QuarkUpdaterSetup_fuzz_1.rar 1a48a730cdd4982a5ac0b44984d70253eab9ea070285d9fc2124c83270576cf4f8c117a65e11fd370cb0673d1066af3415dfd9c8fde98225498f6e4ac92c213e |
 |
| Spoofs as ToDesk remote desktop software. todeskzis[.]xyz https[:]//todeskzis[.]xyz/assets/download/ToDesk (2).zip 215872ff03e4a9d0baf12643b94d8cb60a5dba86153fa05148bd52344567e030d5b9d07f1aa0bf738521db66439d448913da86420f2c2a0753e35ba6b63a393a |
 |
| Spoofs as ToDesk remote desktop software. todeskeq[.]top https[:]//0h6ai2g7.oss-ap-southeast-1.aliyuncs[.]com/ToDesk_Setup.zip (is a .rar file) 134cba7e74c243b3f58535fd224f14a637445e176a5017a8d2938f357a88e9cb3823cc7228d7d8f75f007a4eafc0e4f4f1789ce26a6e1ca15c5045e17810396d Retrieves: https[:]//ws636rj.oss-ap-southeast-1.aliyuncs[.]com/encrypted_shellcode.bin |
 |
| Spoof of WuYou, a service for receiving verification codes such as SMS and online platforms. wuyoujieee[.]com |
 |
| oracl[.]top |  |
| Spoofs as Skype teleconference application download. skyes1[.]top |
 |
| Spoof of Youdao, a translation App. yoadao[.]xyz |
 |
| Gaming platform. 163i[.]tophttps[:]//mumu.163i[.]top/assets/download/Mumu模拟器.zip |
 |
| Android Emulator to run from Windows Machine - purportedly to play simulate mobile games on desktop. lediam[.]xyz https[:]//d9gc24pw.oss-ap-southeast-1.aliyuncs[.]com/%E9%9B%B7%E7%94%B5%E6%A8%A1%E6%8B%9F%E5%99%A8.zip ffe3be504d0a89ace9271a6a1fc51f6b0539903a10b1bf89285875606852ba65 |
 |
| clashcn[.]xyz |  |
| “QC7 goes overseas to navigate global social traffic” “Accurate overseas customer acquisition starts with filtering number data” “Overseas account screening platform” 007z[.]top https[:]//007z[.]top/assets/download/007-Setup.exe e34fd0f5fbc5f09f55ccdf2e6a5f70215c8686f9c83c45f421ac2a475d8bfd47 |
 |
| Spoof of Yuanqi, a website and app providing anime wallpapers without watermarks. yqdesk[.]top |
 |
| Spoof of KARIOS, which purports to be a “SMS Provider” such as sending text messages. karlosqp[.]xyz |
 |
| Spoofs as an unnamed merchant backend login page. Clicking login results in a popup with a “please install” link for a malicious file spoofing as a cryptokit_sando. Clicking OK directs to /update page with a banner to download the same file. This time spoofing as a Flashplayer update link. shanghud[.]com https[:]//shanghud[.]com/assets/download/k3.2.6.0升级组件.exe 65049df06de78a4fda14d5f07d83eef1b316c0dea0ecfc3dbec7e5e1b7b20754 |
   |
| T Star Diamond Payment-Merchant Backstage. Spoofs as a login page. Clicking the login button downloads Gh0stRAT malware. xingzuan[.]xyz https[:]//xingzuan[.]xyz/assets/download/xingzuansetupg5.exe 5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a Downloads additional files from: https[:]//wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud[.]com |
 |
| Spoofs as Dex Screener, a cryptocurrency website. Clicking any buttons initiates a popup with download link spoofing as a Flashplayer update. It contains samples of Gh0stRAT and Blackmoon malware. dexscreeners[.]icu https[:]//aaa8999.oss-us-west-1.aliyuncs[.]com/Flash_x32.zip 86f8239224a0ace2b1e0a2216511b0a0aea1bf055f7cbeca2fcf9c316f3de921 |
  |
| Spoofs as popular Line messenger application. iines[.]xyz |
 |
| Spoofs of DeepL Pro, a machine translation company. The service purports to emphasize data security with end-to-end encryption and automatic deletion of translated text. deepil[.]top |
 |
| Spoofs of DeepL Pro, a machine translation company. The service purports to emphasize data security with end-to-end encryption and automatic deletion of translated text. deeplx[.]top |
 |
| Spoofs as 2345 Image King, software for viewing images. 2345ktws[.]xyz |
 |
| Spoofs as Quark, AI. An AI-powered assistant application. quarki[.]top |
 |
| Spoofs as a cryptocurrency exchange. chachap[.]top https[:]//0l1hsqvd.oss-ap-southeast-1.aliyuncs[.]com/uCheckerInst.zip |
 |
| Spoofs as 360 browser, a web browser developed by the Chinese internet security company, Qihoo 360. 360browsap[.]top |
 |
| Spoofs as a mobile and web game site. ttcy365[.]com |
 |
| Spoofs as Sunflower Remote Control Software, which purports to allow remote access to other computers, file transfer, and remote assistance. orays[.]top |
 |
| A banner displayed warning of malicious activity spoofing their brand but is in fact also a spoof. baofuupay[.]com https[:]//baofuupay[.]com/assets/download/setup.exe 2901ca8eefd1d431d25f3d45dbf42dc48136b74692801ca0f6b606541d645baf |
    |
| Spoofs as Enigma Messenger App, an end-to-end encrypted chat app. immersivetranslate[.]top |
 |
| Spoofs as a cryptocurrency exchange app. tradingview[.]trade |
 |
| Spoofs Signal messaging application, an end-to-end encrypted chat app. signall[.]xyz |
 |
| Spoofs Signal messaging application, an end-to-end encrypted chat app. signel[.]top |
 |
| Spoofs as AdsPower app, an anti-detect browser for managing multiple online accounts. adspowerr[.]top |
 |
| Spoofs as 360 Security Guard - Software Manager to download iTools app. iTools is used for managing Apple mobile devices. i4app[.]top |
 |
| Spoofs as FireFox browser download. firefoxz[.]top |
 |
| Spoofs of LianLian Pay application. lianlianpoy[.]com |
 |
| Spoofs as a financial payments management website. shengfuton[.]com |
 |
| Spoofs as a music streaming app. wymusic[.]top |
 |
| Spoofs as Snipaste, a screenshot and screen recording tool. snipaste[.]top |
 |
| Spoofs as Aurora PDF, a service for creating, editing and viewing PDF files. jiguang[.]icu |
 |
| Spoofs as Steam, a popular digital distribution platform for video games. steams[.]top |
 |
| Spoofs as 163 VPN built by NetEase, a Chinese tech company. 163 VPN is primarily designed for users within China to access websites blocked by the Great Firewall of China. 163e[.]top |
 |
| Spoofs of Gmail Login Page. qmails[.]top |
 |
| Spoof of Telegram messenger application. telegrinxkam[.]top https[:]//telegrinxkam[.]top/assets/download/Ttsetuphdmgj.exe d219a6056e1f65507c984475711bd7e674b1319d11fd7a1149f3da983fd4f7c8 |
 |
| Spoof of Telegram messenger application. telegrcm[.]ing teiegram[.]ing |
 |
| Spoofs as SaleSmartly, a customer communication platform. salesmart[.]top https[:]//wien.oss-ap-southeast-1.aliyuncs[.]com/win7-salesmartly.zip |
 |
| Spoofs of Google Play store to download a malicious application. goople[.]top |
 |
| Spoofs of Telegram messaging application. telegrpcm[.]xyz |
 |
Conclusion
The spoofed malware delivery websites sampled in this report all share commonalities in configuration, domain registration patterns, and a suspected intent to target Chinese-speaking users. Indications suggest a broader target audience of Chinese language speakers outside of China including Malaysia and Hong Kong.
The majority of the malware identified being delivered by the spoofed websites were stealers and trojans with capabilities to steal credentials and provide remote access to compromised systems. All malware identified were intended for Windows operating systems. Among them were multiple samples AV vendors assessed to be Gh0stRAT, Lummanstealer, RedLine, Farfli and ValleyRAT. Of which, C2s were also identified as associated with ValleyRAT.
The activity and infrastructure of this cluster suggests a strong overlap with previously reported APT group SilverFox. Similarities include the spoofed websites, a focus on targeting Chinese-language speakers, and the use of ValleyRAT. Additionally, the overall volume, variety, and duration of the activity involved aligns with previous reports of SilverFox and suggests an organized and professional enterprise such as a commercial hack-for-hire or nation state sponsored contract.
While spoofing websites to deliver malware is nothing new, the sustained volume and consistency speaks to a larger systematic approach to target a specific demographic with an apparent intent on gaining access to Windows devices likely to initially steal credentials and provide continued access for follow-on engagements. In the past, speculation around similar campaigns involved acting as access brokers to sell to government organizations or other criminal groups. Another possibility may be the collateral targeting of a population to opportunistically compromise high-value targets. In other words, indiscriminate compromises until they strike gold on gaining access to, for example, a corporation’s system or credentials.
IOCs
Suspected Malware Delivery Domains:
IOCs on GitHub
If the community has any additional input, please let us know.
https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CNMalwareDelivery-Pt1
Related Content
APT35/Charming Kitten's leaked documents expose the financial machinery behind state-sponsored hacking. Learn how bureaucracy, crypto micro-payments, and administrative ledgers sustain Iranian cyber operations and link them to Moses Staff.
Heading
