Chinese Hackers Using 42,000 Phishing Domains for Malware

Chinese Hackers Using 42,000 Phishing Domains To Drop Malware

Chinese Hackers Employing Sophisticated Phishing Techniques to Deliver Malware


Cyjax has recently discovered an extensive phishing campaign aimed at businesses across various upright markets, including retail.

The attackers behind this campaign exploited the reputation of renowned brands in sectors such as banking, travel, pharmaceuticals, energy, and transport.

Fangxiao, a group classified as a financially motivated threat actor, is suspected to be based in China and is believed to be responsible for this campaign.

Since 2019, the group has registered over 42,000 unique domains, with this number continuously growing.

These domains imitate famous brands to deceive users and redirect them to sites that promote adware apps, dating sites, and free giveaways. Since 2017, threat actors have been targeting renowned brands across the globe, and over 400 brands have been spoofed.

What are Phishing Domains?

Phishing domains are fraudulent websites that are designed to look legitimate to unsuspecting users. They are used to steal sensitive information such as usernames, passwords, credit card details, and other personal information. Hackers use phishing domains to gain access to victims’ accounts and steal their data or money.

Companies Affected

There are a number of companies that have been affected by this issue, which we have outlined below:-

  • Emirates
  • Singapore’s Shopee
  • Unilever
  • Indonesia’s Indomie
  • Coca-Cola
  • McDonald’s
  • Knorr

Sometimes the victims are redirected by the Fangxiao threat actors to malicious websites where they were infected with Triada or other malware. Recently, there have been reports of Triada spreading through fake WhatsApp apps that are propagating the malware, Researchers said.

n1TOyt9ceDnPDSoDsEM0LHNWlOcveVkQg198biLP3vrWRNGqFw7g8GHWd6jtBmDeREfiLrlxrgh1rZJs2CIHZJ3 r Leq9XePhxvVCLt3ul3AK6fTte7dERnGywyyuQUySSCRmDMI4DuBB6WGN BkDFuAwzgjlWvWfp Le6UZG8UKmXJwdYY4BbLG sesQ

In spite of this, Fangxiao has yet to establish a direct connection with the operators of these websites.

Technical Analysis

There are approximately 300 newly registered domain names that Fangxiao registers every day that imitate brands. Malicious operators have used a total of 24,000 landing pages and survey domains to promote their fake prizes since the beginning of March 2022.

In general, operators use the following TLDs for the majority of their websites:

  • .top
  • .cn
  • .cyou
  • .xyz
  • .work
  • .tech

It is important to note that the websites are secured behind Cloudflare and they have been registered through the following platforms:-

In most cases, users are directed to these websites through mobile ads or WhatsApp messages that include a link with an offer or an announcement about winning something.

Google and Facebook have marked the landing pages for “ylliX” ads as suspicious, as clicking on these ads will lead to a different redirection chain within the landing sites.

Several indications were found during Cyjax’s investigation into Fangxiao that indicates the operator to be Chinese. A control panel that was exposed was found to be displaying Mandarin characters.

Managed DDoS Attack Protection for Applications – Download Free Guide


Leave a Reply

Your email address will not be published. Required fields are marked *

fb logo
recover dogecoin from a scam
recover ethereum from a scammer
hire a hacker to hack iphone
hire a hacker to hack snapchat
hire a hacker to hack a windows computer
error: Content is protected !!