Sophisticated threat actors have orchestrated a coordinated multilingual phishing campaign targeting financial and government organizations across East and Southeast Asia.<\/p>\n
The campaign leverages carefully crafted ZIP file lures combined with region-specific web templates to deceive users into downloading staged malware droppers.<\/p>\n
Recent analysis reveals three interconnected clusters spanning Traditional Chinese, English, and Japanese-language variants, each tailored to specific geographic and sectoral targets.<\/p>\n
This demonstrates a deliberate shift from localized operations toward a scalable, automation-driven infrastructure capable of targeting multiple regions simultaneously with minimal adaptation.<\/p>\n
The campaign<\/a> evolved from earlier phishing waves that originally impersonated Taiwan\u2019s Ministry of Finance, initially delivering malicious PDFs hosted on Tencent Cloud.<\/p>\n As threat actors refined their approach, they transitioned toward custom domains embedding regional markers such as \u201ctw\u201d for Taiwan, expanding their reach to Japan and Southeast Asia.<\/p>\n The infrastructure now employs multilingual web templates with shared backend logic, indicating either a single operator managing multiple campaigns or a distributed toolkit enabling rapid deployment across regions.<\/p>\n Hunt.io analysts identified<\/a> the campaign through coordinated infrastructure analysis using HuntSQL-based pivoting.<\/p>\n Researchers discovered 28 webpages distributed across three clusters: 12 in Traditional Chinese, 12 in English, and 4 in Japanese.<\/p>\n Each cluster shares unified backend logic utilizing download.php and visitor_log.php scripts, indicating centralized infrastructure designed for automated payload delivery at scale.<\/p>\n The threat actors employ compelling social engineering lures incorporating bureaucratic, payroll, and tax-related filenames.<\/p>\n The Chinese cluster distributes archives named \u201cTax Invoice List\u201d and \u201cFinancial Confirmation Form,\u201d while the English variant uses \u201cTax Filing Documents\u201d and generic compliance themes.<\/p>\n Japanese-language pages specifically target salary system revisions and tax agency notifications, demonstrating sophisticated understanding of regional corporate communication patterns.<\/p>\n The technical implementation reveals a multi-stage infection approach designed to evade conventional email and web filters<\/a>.<\/p>\n When users visit phishing pages, JavaScript executes visitor_log.php to record IP addresses and user-agent information, establishing tracking infrastructure for potential follow-up campaigns.<\/p>\n The download button remains hidden until JavaScript<\/a> runs, then dynamically fetches payload details from download.php.<\/p>\n This approach masks the malicious intent during static analysis while ensuring valid ZIP payloads are served only when conditions match specific criteria.<\/p>\n The filenames themselves function as evasion mechanisms, using legitimate-sounding bureaucratic nomenclature to bypass content filters focused on malware indicators.<\/p>\n Archives containing staged droppers bear authentic organizational contexts\u2014tax filings, salary notices, financial amendments\u2014making them indistinguishable from legitimate business communications.<\/p>\n All phishing infrastructure resolves to Kaopu Cloud HK Limited hosting in multiple Asian locations including Tokyo, Singapore, and Hong Kong, providing geographic distribution that complicates attribution and blocking efforts.<\/p>\n This sophisticated combination of social engineering<\/a>, dynamic payload delivery, and distributed hosting represents a significant evolution in phishing campaign infrastructure targeting enterprise environments across Asia.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Threat Actors Using Multilingual ZIP File to Attack Financial and Government Organizations<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj0zIGTNtpO2NAuKKKskpPB6rZYgCooVodNbIaXLCfVEnRYAC7S83HBsD9BUeOzXLvrDE42q9hIYwfxCsc3DdAFu86iEkZOlBhFkKqe8wBxaeG1uII4kzEtF13zTHI7M-UsBBxoLYEF19sfWUwM-5_pg5D5co8UR9QWjHCs5eLwakdQQJthV6ypuoVMaMg\/s16000\/A%2520mindmap%2520of%2520eleven%2520interconnected%2520webpages%2520with%2520the%2520title%2520%27%25E6%2596%2587%25E4%25BB%25B6%25E4%25B8%258B%25E8%25BC%2589%27%2520%28Source%2520-%2520Hunt.io%29.webp?ssl=1\")
Infection Mechanism and Detection Evasion<\/strong><\/h2>\n