Chinese Malware Delivery Websites

SUMMARY :

A cluster of over 400 domains have been registered since June 2024 to host spoofed websites delivering malware to Chinese-speaking users. The sites imitate popular applications like web browsers, VPNs, messaging apps, and crypto wallets. Identified malware includes Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, and RedLine. The domains share registration details, infrastructure, and website configurations. Lures include fake login pages and software downloads. The activity shows similarities to the previously reported APT group SilverFox, suggesting an organized hack-for-hire or state-sponsored operation targeting Chinese speakers, possibly for credential theft and system access.

OPENCTI LABELS :

apt,redline,credential theft,gh0strat,valleyrat,lummastealer,farfli,malware delivery,remote access trojans,chinese-speaking users,remkos rat,spoofed websites,hack-for-hire


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Chinese Malware Delivery Websites