Thursday, February 6, 2025
HomeMalwareChinese Hackers Using 42,000 Phishing Domains To Drop Malware On Victims Systems

Chinese Hackers Using 42,000 Phishing Domains To Drop Malware On Victims Systems

Published on

SIEM as a Service

Follow Us on Google News

An extensive phishing campaign targeting businesses in numerous upright markets, including retail, was discovered by Cyjax recently in which the attackers exploited the reputation of renowned brands, and this includes the following business sectors:-

  • Banking
  • Travel
  • Pharmaceuticals
  • Travel
  • Energy
  • Transport

Fangxiao is a group classified as a financially motivated threat actor suspected of being based in China and is alleged to be behind this campaign. 

It has been estimated that more than 42,000 unique domains have been registered by the group since 2019 and the numbers are growing on a daily basis.

All these domains mimic famous brands through which they trick users and redirect them to sites that promote the following things:-

  • Adware apps
  • Dating sites
  • Free giveaways

Since the beginning of 2017, threat actors have been operating around the globe, with more than 400 renowned brands being spoofed.

Companies Affected

There are a number of companies that have been affected by this issue, which we have outlined below:-

  • Emirates
  • Singapore’s Shopee
  • Unilever
  • Indonesia’s Indomie
  • Coca-Cola
  • McDonald’s
  • Knorr

Sometimes the victims are redirected by the Fangxiao threat actors to malicious websites where they were infected with Triada or other malware. Recently, there have been reports of Triada spreading through fake WhatsApp apps that are propagating the malware, Researchers said.

In spite of this, Fangxiao has yet to establish a direct connection with the operators of these websites.

Technical Analysis

There are approximately 300 newly registered domain names that Fangxiao registers every day that imitate brands. Malicious operators have used a total of 24,000 landing pages and survey domains to promote their fake prizes since the beginning of March 2022.

In general, operators use the following TLDs for the majority of their websites:

  • .top
  • .cn
  • .cyou
  • .xyz
  • .work
  • .tech

It is important to note that the websites are secured behind Cloudflare and they have been registered through the following platforms:-

  • GoDaddy
  • Namecheap
  • Wix

In most cases, users are directed to these websites through mobile ads or WhatsApp messages that include a link with an offer or an announcement about winning something.

Google and Facebook have marked the landing pages for “ylliX” ads as suspicious, as clicking on these ads will lead to a different redirection chain within the landing sites.

Several indications were found during Cyjax’s investigation into Fangxiao that indicate the operator to be Chinese. A control panel that was exposed was found to be displaying Mandarin characters.

Managed DDoS Attack Protection for Applications – Download Free Guide

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Paragon Spyware Allegedly Ends Spyware Contract with Italy

Paragon Solutions, an Israeli cybersecurity firm, has reportedly ended its spyware contract with Italy.The...

Authorities Arrested Hacker Who Compromised 40+ Organizations

Spanish authorities have arrested a hacker believed to be responsible for cyberattacks targeting over...

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

OpenAI may have become the latest high-profile target of a significant data breach.A...

Lumma Stealer Attacking Windows Users In India With Fake Captcha Pages

Cybersecurity experts are raising alarms over a new wave of attacks targeting Windows users...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Lumma Stealer Attacking Windows Users In India With Fake Captcha Pages

Cybersecurity experts are raising alarms over a new wave of attacks targeting Windows users...

Beware of Lazarus LinkedIn Recruiting Scam Targeting Org’s to Deliver Malware

A new wave of cyberattacks orchestrated by the North Korea-linked Lazarus Group has been...

North Korean Hackers Use custom-made RDP Wrapper to activate remote desktop on Hacked Machines

In a concerning development, the North Korean-backed hacking group Kimsuky has intensified its use...