Chinese Malware Delivery Websites

Jan. 16, 2025, noon

Description

A cluster of over 400 domains have been registered since June 2024 to host spoofed websites delivering malware to Chinese-speaking users. The sites imitate popular applications like web browsers, VPNs, messaging apps, and crypto wallets. Identified malware includes Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, and RedLine. The domains share registration details, infrastructure, and website configurations. Lures include fake login pages and software downloads. The activity shows similarities to the previously reported APT group SilverFox, suggesting an organized hack-for-hire or state-sponsored operation targeting Chinese speakers, possibly for credential theft and system access.

External References

https://dti.domaintools.com/chinese-malware-delivery-websites/
https://otx.alienvault.com/pulse/6788e6dfd683ad1bdd9b3f3b
Tags
apt
credential theft
redline
gh0strat
valleyrat
lummastealer
malware delivery
2025-01-16
farfli
remote access trojans
chinese-speaking users
remkos rat
spoofed websites
hack-for-hire

Date

  • Created: Jan. 16, 2025, 11 a.m.
  • Published: Jan. 16, 2025, 11 a.m.
  • Modified: Jan. 16, 2025, noon

Indicators

  • ffe3be504d0a89ace9271a6a1fc51f6b0539903a10b1bf89285875606852ba65
  • fe86e1fff0afefd79de4fd26f041757495c5fadd116400699411a200978f0e41
  • fe1b5431ae27c85b1c652e3ac9541c2a801540c02c04fa7f4a3a9543c284eca5
  • f309c2c4847a5c888a580a2b154dfa1168016a9c3a335890f1b9e201819857e3
  • e5205e1964b63ce14c85dd2c1ff6cdb06b3b1d323ccdbe0b2d6368a88dfe8f70
  • e34fd0f5fbc5f09f55ccdf2e6a5f70215c8686f9c83c45f421ac2a475d8bfd47
  • e15a6646d20b4aa486f06fa81a1af55be0bd99dbff85cbd7a7a29d15ad73a693
  • e09056567f146da73aa0c4266a15cd61655e4402146b75a836d1c92926cd37c4
  • d75a2b9d03aab50d9f3eb6afbde06034adec7a183dfcaf090ce78e4cd7a59117
  • d219a6056e1f65507c984475711bd7e674b1319d11fd7a1149f3da983fd4f7c8
  • d1c9957bd55933a619d22e741fadcee6085e679e66af5cd8edbff7d9cf8fd4cf
  • ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
  • c7531f022be3a5e33aa71aadcd5f0b5ae9989c7980b3a218e1e1415f6b61953d
  • bfb90dfe0d6b4342489c4e8aa9c5ef803e462e0b451cb9ad016f2afba39fedf9
  • bb152e75a72aa3ae675561f308614eba6c070e55e3895bc1b67125689dc24cee
  • adb6afadbd9f31a2c6548b6e3c6378a7164a3604c04332e48a409c16faf4f598
  • a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796
  • 927474984e549f9d1269950e5782f755cb96f11d404a3cac56114d1e795609c5
  • 86f8239224a0ace2b1e0a2216511b0a0aea1bf055f7cbeca2fcf9c316f3de921
  • 839e314d6027977399ee486d1cadba972685550ab97467ec77ef746ffc81a478
  • 7ac5b8905c760bf38d38761efc56362799f8a40b4fe2d570f56472b83a625360
  • 7aa498dc87e734e306f850082fad723ca7c05ef2f0a84c5232111eb3e86156fc
  • 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46
  • 65049df06de78a4fda14d5f07d83eef1b316c0dea0ecfc3dbec7e5e1b7b20754
  • 5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a
  • 5283873308336ae1011ebfe1d057621413b7d528340e45d76359850d5589e662
  • 443a4ce93232d56f0d1d15e6875f7eff5fc581f25df320e277608be0d1148fa1
  • 29163c8afb477b27f700e1c5eac694a6cbb816a86c8eadbbbac6ba5c034a9c96
  • 2901ca8eefd1d431d25f3d45dbf42dc48136b74692801ca0f6b606541d645baf
  • 1f58903b39f58568589776333d2752957c1dd1a2c5296fd2fd5343560f6be860
  • 005bdfdde6a0d0718ac60bcc7071bd87d0ac869308cf8dd7ed8afa7478709ba9
  • 47.242.127.63
  • 134.122.135.95
  • http://quickqi.net/assets/download/quicqk66.12.msi
  • http://quickiq.top/assets/download/win32-quicq.msi
  • http://mctuqqe4z.top/qucke1.xn--2_-1e1dn6n.zip
  • http://kuailianlow.com/download/letspn-latest.exe
  • http://kuailiani.net/download/kuailian64.52.msi
  • http://kipkshsa.top/download/letsvppn-latest.msi
  • http://isdndjsq.top/assets/download/win32-quicq.msi
  • http://134.122.135.95:4443
  • villa.yiluying.com
  • mumu.163i.top
  • fs-im-kefu.7moor-fs1.com
  • zoomi.fit
  • ziniao.fit
  • zhekou838.cn
  • yuduba.xyz
  • z42f1m.top
  • yuanq.top
  • yqdesk.top
  • youdou.xyz
  • youdoo.top
  • youdoau.top
  • youdaoz.top
  • youdaox.top
  • youdaoie.top
  • yoodou.top
  • yoodau.xyz
  • yoodaou.xyz
  • yoodau.top
  • yoodaoi.club
  • yoodao.fit
  • yodaou.top
  • yoadao.xyz
  • yijfu.com
  • yiijifu.com
  • yiiji.xyz
  • xzpay.work
  • xxyy.work
  • xmengapp.top
  • xinzuan.top
  • xinmeng.xyz
  • xinlang.work
  • xingzuan.xyz
  • xingzuan.online
  • xingzuan.fit
  • xingzuan.club
  • xingqiiu.club
  • xiaohuojians.top
  • ximmlang.club
  • wymusic.top
  • wymusic.fit
  • wuyoujieee.com
  • wudps.xyz
  • wpszm.top
  • wpsyz.top
  • wpsxz.xyz
  • wpsxi.club
  • wpsxm.xyz
  • wpssq.top
  • wpss.xyz
  • wpsrs.xyz
  • wpsrc.work
  • wpsrc.top
  • wpsqx.top
  • wpsqr.xyz
  • wpsqm.com
  • wpsma.top
  • wpsla.site
  • wpsiz.xyz
  • wpsio.top
  • wpsim.top
  • wpsie.top
  • wpsei.com
  • wpsco.xyz
  • wppsi.top
  • wletsvpn.xyz
  • wipses.fit
  • winzips.work
  • wiinrar.top
  • winrarsz.top
  • whtsaps.work
  • whtsaps.fit
  • whtsaps.vip
  • whtsaps.club
  • whtpps.work
  • whtpps.club
  • whtpps.fit
  • whhapps.fit
  • whhapps.club
  • whatsacppy.club
  • whapps.fit
  • whapps.work
  • whapps.club
  • wangwangtalk.club
  • wgoole.fit
  • wangr.club
  • vzvlco.top
  • vltlpung.com
  • vletsvpn.xyz
  • visvpn.cyou
  • vibers.work
  • vibers.top
  • vibers.site
  • viber.cyou
  • viberi.xyz
  • vejm60.top
  • viber.cc
  • vb0ep.club
  • utuncloud.world
  • uq7djw.xyz
  • uphot.net
  • upcupe.xyz
  • twyudoft.com
  • uletsvpn.xyz
  • ttcy365.com
  • todeskzis.xyz
  • tradingview.trade
  • todeskze.top
  • todeskeq.top
  • todeskiz.club
  • todeskei.xyz
  • todeskc.top
  • todesik.top
  • todaski.club
  • todaskek.xyz
  • tletsvpn.xyz
  • tittia.top
  • tgsheng.top
  • teleqpczm.club
  • teleqercm.work
  • teleqcrmn.fit
  • teleqcrmn.club
  • teleqcam.club
  • telepwam.club
  • teleprzm.fit
  • telepqrm.work
  • telepeqrm.fit
  • telepcems.fit
  • telepcem.club
  • teleigpcm.vip
  • teleigpcm.club
  • telegrinxkam.top
  • telegrpcm.xyz
  • telegrimz.club
  • telegrcm.ing
  • telegramn.vip
  • telegczem.club
  • telegcvme.fit
  • teleeqcrme.top
  • teleepcrme.work
  • teleagrmone.top
  • teiegram.ing
  • telagrmaxjsq.top
  • teamviewers.club
  • t0v0hlp.top
  • taufp6.top
  • subllmatxt.top
  • surrl9oa.top
  • szyyotmp.com
  • steams.top
  • sublitmext.xyz
  • soulgou.club
  • sougous.xyz
  • sougous.top
  • sougoo.site
  • soogoo.icu
  • soogou.store
  • snipaste.top
  • smsnet.top
  • snapcheat.club
  • smsactive.top
  • sms-activation.club
  • slqdgo.club
  • skyes1.top
  • signall.xyz
  • signel.top
  • shimoc.club
  • shanghud.com
  • shengfuton.com
  • shandpey.world
  • shandpay.top
  • sandpray.top
  • sandlpay.top
  • sandipay.top
  • sanderpay.top
  • salesmart.top
  • rtuoxxsr.com
  • rggmo7j.club
  • qwf123.cyou
  • qwapmuuq.com
  • quirkq.work
  • quiirkq.club
  • quiiqq.com
  • quiickqz.top
  • quiicka.xyz
  • quickxq.xyz
  • quickqzc.top
  • quickqza.icu
  • quickqi.top
  • quickqi.net
  • quickqgw.com
  • quickqgw.net
  • quickqgf.net
  • quickq2.cc
  • quickqgf.com
  • quickq.fit
  • quickiq.top
  • quickq0101.cyou
  • quicka.top
  • quarki.top
  • qqsgs.com
  • qqis.work
  • qqgj.online
  • qmails.top
  • qmail.work
  • qeaick.buzz
  • q0nmsl.fit
  • pqqle.club
  • pppicd.icu
  • potatocn.xyz
  • pht0j.cyou
  • pgaab.icu
  • paydocs8.com
  • paopaom.online
  • paga1io.top
  • ouggle.fit
  • oreyz.top
  • oreyr.work
  • orey.online
  • orays.top
  • orayi.world
  • oracl.top
  • opjs.club
  • oolqow.top
  • ooigle.xyz
  • ooglze.fit
  • ooglz.top
  • ooglie.xyz
  • ooglex.xyz
  • oogles.top
  • ooglex.top
  • oogiie.top
  • oogiew.work
  • oogiel.top
  • oogie.fit
  • oogie.club
  • oogglez.xyz
  • oogglez.top
  • ooggles.top
  • ooggle.top
  • ooggie.xyz
  • ooggie.top
  • oogchrm.club
  • okyi.work
  • oiggle.club
  • ogglesr.top
  • oggles.xyz
  • oggle.xyz
  • oggle.top
  • oggle.club
  • ogglchomr.top
  • oggiechr.work
  • oggie.top
  • oggie.fit
  • oggie.club
  • officeim.club
  • nsmnst.club
  • nn3cotp.top
  • nexchattc.cc
  • mwai1.xyz
  • modbydto.com
  • miluvpn.com
  • miitu.top
  • mi163.top
  • mexiko.cn
  • messengerz.club
  • messengers.work
  • mesenger.club
  • meiqias.xyz
  • meipai.work
  • me18qiyg.xyz
  • mctuqqe4z.top
  • mavishub.xyz
  • m7neqzz.fit
  • luoboo.online
  • lttslian.xyz
  • loubom.club
  • lltslian.life
  • llnes.world
  • liine.work
  • liine.fit
  • liien.top
  • lianlianpoy.com
  • letwvpn.com
  • letsvqr.xyz
  • letsvqm.xyz
  • letsvpn-ui.top
  • letsrqn.top
  • letsrpm.top
  • letsqqp.club
  • letsqpz.club
  • letsqpw.club
  • letsqpr.top
  • letspw.top
  • letspqw.fit
  • letspcn.xyz
  • letspqc.top
  • letspcn.icu
  • letspcm.top
  • letskuail.icu
  • letscqn.top
  • letscdn.world
  • letscgn.top
  • letsbutr.com
  • letrscp.fit
  • lets-alyays-connect.com
  • lediam.xyz
  • lanlevp.top
  • kwgiz1.club
  • kuellien.xyz
  • kualien.xyz
  • kueliien.xyz
  • kuaizip.top
  • kuailxian.com
  • kuailim.buzz
  • kuailijen.xyz
  • kuailiien.xyz
  • kuailianz.com
  • kuailiant.com
  • kuailianlow.com
  • kuailiani.net
  • kuailian8.com
  • kuailian0.com
  • kuaiiyian.com
  • kuaiilianoo.icu
  • kuaiiam.fit
  • kuai-lian.xyz
  • klxiazopai.com
  • kipkshsa.top
  • kingtelmfng.top
  • keuailian.top
  • karlost.club
  • karlosqp.xyz
  • karlospt.top
  • jiguang.icu
  • kantu2345.club
  • jdad7q.work
  • j6ahar4i.top
  • isdndjsq.top
  • interhclp.com
  • immersivetranslate.top
  • imbken.club
  • ilren.top
  • iines.xyz
  • iilne.top
  • iilne.fit
  • ibzeha.vip
  • i4toos.life
  • i4sp.top
  • i4sapp.top
  • i4sa.xyz
  • i4b6.club
  • i4app.top
  • hvr3ez.work
  • huurongs.top
  • huoswe.top
  • huorrong.xyz
  • huoroug.top
  • huorong.work
  • huorong.site
  • huorong.online
  • huionepay.vip
  • huifub.club
  • hgb4hxl070.com
  • helloworlids.top
  • helloworldz.top
  • helloworldw.top
  • helloworldw.site
  • helloworldcz.xyz
  • hellowordz.top
  • hellowordx.fit
  • hellowordx.club
  • heepayx.xyz
  • gotonesn.top
  • gotonesms.xyz
  • goople.top
  • googlre1.top
  • googlez.top
  • googleseso.top
  • gmgmai.work
  • gmgmai.club
  • gmaib.top
  • gckgmwc1.top
  • g465cn.com
  • g2ks0z.com
  • fzqecfyi.com
  • fsquhgne.com
  • freetalk.online
  • flashproxy.cc
  • firefoxz.top
  • fckjo9.club
  • f3jb5x.top
  • eyyz.top
  • eyysm.com
  • eyysi.top
  • eyys.xyz
  • eyyqp.top
  • eyy5201.top
  • eyy350.top
  • eu0af6.club
  • eniigme.club
  • enigmar.fit
  • eiyy.top
  • ecprss.com
  • dfapp188.world
  • easytran.top
  • dezscreener.work
  • dexscreeners.icu
  • dexscreener.fit
  • deeplx.top
  • deeplti.xyz
  • deepll.xyz
  • deepll.top
  • deepli.top
  • deepil.top
  • cs-quickq.com
  • crlg1wm.com
  • cpgpay.site
  • comprz.top
  • cnacn3.top
  • clashcn.xyz
  • clashcn.top
  • clashcn.club
  • chromexn.com
  • chrmpw.top
  • chmole.club
  • chme1.xyz
  • chachap.top
  • cgpay.vip
  • btxueo.top
  • btbrowserq.top
  • browseri.vip
  • bpss5vp.top
  • bntbrowcer.xyz
  • bmgsn6.top
  • bitteroser.top
  • bitpiez.club
  • bitbrwwser.top
  • bitbrwoser.top
  • bitbrwoser.fit
  • bitbrowszer.top
  • bitbrowsri.top
  • bitbrowsez.top
  • bitbrowsers.work
  • bitbrowseq.top
  • bitbrowsec.top
  • bitbrowcer.xyz
  • baofuupay.com
  • baofupay.top
  • bananaguns.club
  • bananagunn.cyou
  • bananagun.fit
  • baili888.club
  • baidu-a.top
  • baidu-a.cyou
  • b-jlpay.top
  • b-jipay.com
  • avre.work
  • avez.top
  • anydeslk.top
  • anydeskq.online
  • anydeskcn.top
  • anydesikq.top
  • anydesik.top
  • anydesik.com
  • anydeisk.top
  • andesksr.com
  • aisbb.cyou
  • adspowerr.top
  • adober.club
  • a1shung.club
  • 70ka.club
  • 6h4s3s.top
  • 360z.fit
  • 360browsap.top
  • 2345ktws.xyz
  • 2345kingtuwang.com
  • 2345kantup.xyz
  • 1o2mp.cyou
  • 16cilz.xyz
  • 163i.top
  • 163e.top
  • 1633.site
  • 007z.top
Download all indicators here!

Attack Patterns

  • RemKos RAT
  • LummaStealer
  • Gh0stRAT
  • ValleyRAT
  • Farfli
  • RedLine
  • SilverFox

Additional Informations

  • Hong Kong
  • China
  • Malaysia