A sophisticated Chinese threat actor campaign has emerged as one of the most persistent malware distribution operations targeting Chinese-speaking communities worldwide.<\/p>\n
Since June 2023, this ongoing campaign has established an extensive infrastructure comprising more than 2,800 malicious domains specifically designed to deliver Windows-targeted malware to individuals and entities both within China and internationally.<\/p>\n
The threat actors operate with remarkable consistency during Chinese business hours, employing a multi-faceted approach that leverages fake application download sites, deceptive software update prompts, and spoofed login<\/a> pages for popular services.<\/p>\n Their targets include users of marketing applications, business sales platforms, and cryptocurrency-related services, demonstrating a clear focus on financially motivated cybercrime and credential theft<\/a> operations.<\/p>\n The campaign\u2019s scope and persistence have drawn significant attention from security researchers.<\/p>\n DomainTools analysts identified<\/a> that as of June 2025, 266 domains from over 850 created since December 2024 remained actively distributing malware, highlighting the operation\u2019s sustained infrastructure and continuous evolution.<\/p>\n Recent operational changes indicate the threat actors are adapting to defensive measures by implementing anti-automation code, reducing reliance on tracking services like Baidu and Facebook, and distributing their infrastructure across more servers to avoid detection.<\/p>\n These modifications suggest a mature understanding of cybersecurity countermeasures and a commitment to maintaining operational effectiveness.<\/p>\n The malware delivery process demonstrates sophisticated technical implementation through a multi-stage infection chain.<\/p>\n Analysis of the domain When users interact with these deceptive sites, they receive a ZIP file containing an MSI installer.<\/p>\n The file This downloader retrieves encrypted payloads from command-and-control servers, specifically from URLs like The final payload employs XOR encryption<\/a> with the key Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams ->\u00a0Try ANY.RUN Now<\/a><\/strong><\/p>\n The post Chinese Threat Actors Using 2,800 Malicious Domains to Deliver Windows-Specific Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nMulti-Stage Infection Mechanism<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgbueqHoUzkVDFNvRK2uJte4eZzOTP2zVG9C3FP_HIJJWxHKHCmrGe4TTg_wOcftzp3-flwpqY593YTEBMFJsBYbML_oLKjRK8taocf99OWWT83M2YXorAW8lasCH-_Wiwout2bP7qI9Kfsktf2o90ZBU-JNbcCzJLWTm1dJzKezqnP5-LaVQMzJn4-Xs8\/s16000\/Fake%2520Gmail%2520Login%2520%28Source%2520-%2520Domaintools%29.webp?ssl=1\")
googeyxvot[.]top<\/code> reveals the actors\u2019 use of JavaScript obfuscation<\/a> to conceal download URLs and trigger fake browser compatibility errors that prompt malicious updates.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhq6FTI5lAipUswnJxsHnxefCBjoCvnFr0MZXTRJrIudV7HNKX1DNQOnIkHSg-qLnsuz06VglcL-riFQI_ZP89UI8n3XHEL04MQorzP8uRJaiQNQLMORg6ldMe2v33WR-mrtLcXG1mY9aotjNGIn5B3oxoOTYwdsEGsywR-D5meeyVdRNVwTqbMKmYTBDQ\/s16000\/Multiple%2520JavaScript%2520files%2520are%2520employed%2520to%2520obfuscate%2520the%2520download%2520URL%2520%28Source%2520-%2520Domaintools%29.webp?ssl=1\")
flashcenter_pl_xr_rb_165892.19.zip<\/code> (SHA256: 7705ac81e004546b7dacf47531b830e31d3113e217adeef1f8dd6ea6f4b8e59b) contains the executable svchost.13.exe<\/code>, which functions as a downloader component.<\/p>\nhttps:\/\/ffsup-s42.oduuu[.]com\/uploads%2F4398%2F2025%2F06%2F617.txt<\/code>.<\/p>\n0x25<\/code> to decode and execute the embedded PE file, demonstrating the campaign\u2019s technical sophistication in evading detection while maintaining operational simplicity for widespread deployment across their extensive domain infrastructure.<\/p>\n