Chinese Threat Actors Using 2,800 Malicious Domains to Deliver Windows-Specific Malware

A sophisticated Chinese threat actor campaign has emerged as one of the most persistent malware distribution operations targeting Chinese-speaking communities worldwide.Since June 2023, this ongoing campaign has established an extensive infrastructure comprising more than 2,800 malicious domains specifically designed to deliver Windows-targeted malware to individuals and entities both within China and internationally.The threat actors operate with remarkable consistency during Chinese business hours, employing a multi-faceted approach that leverages fake application download sites, deceptive software update prompts, and [spoofed login](https://cybersecuritynews.com/defend-against-phishing-kit-attacks/) pages for popular services.Their targets include users of marketing applications, business sales platforms, and cryptocurrency-related services, demonstrating a clear focus on financially motivated cybercrime and [credential theft](https://cybersecuritynews.com/credential-theft-risks/) operations.The campaign’s scope and persistence have drawn significant attention from security researchers.DomainTools analysts [identified](https://dti.domaintools.com/chinese-malware-delivery-domains-part-iii/) that as of June 2025, 266 domains from over 850 created since December 2024 remained actively distributing malware, highlighting the operation’s sustained infrastructure and continuous evolution.Recent operational changes indicate the threat actors are adapting to defensive measures by implementing anti-automation code, reducing reliance on tracking services like Baidu and Facebook, and distributing their infrastructure across more servers to avoid detection.These modifications suggest a mature understanding of cybersecurity countermeasures and a commitment to maintaining operational effectiveness.**Multi-Stage Infection Mechanism**———————————–The malware delivery process demonstrates sophisticated technical implementation through a multi-stage infection chain. ![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbueqHoUzkVDFNvRK2uJte4eZzOTP2zVG9C3FP_HIJJWxHKHCmrGe4TTg_wOcftzp3-flwpqY593YTEBMFJsBYbML_oLKjRK8taocf99OWWT83M2YXorAW8lasCH-_Wiwout2bP7qI9Kfsktf2o90ZBU-JNbcCzJLWTm1dJzKezqnP5-LaVQMzJn4-Xs8/s16000/Fake%20Gmail%20Login%20(Source%20-%20Domaintools).webp) Fake Gmail Login (Source — Domaintools)Analysis of the domain `googeyxvot[.]top` reveals the actors’ use of JavaScript [obfuscation](https://cybersecuritynews.com/obfuscation-techniques-to-evade-anti-virus-detection/) to conceal download URLs and trigger fake browser compatibility errors that prompt malicious updates.![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq6FTI5lAipUswnJxsHnxefCBjoCvnFr0MZXTRJrIudV7HNKX1DNQOnIkHSg-qLnsuz06VglcL-riFQI_ZP89UI8n3XHEL04MQorzP8uRJaiQNQLMORg6ldMe2v33WR-mrtLcXG1mY9aotjNGIn5B3oxoOTYwdsEGsywR-D5meeyVdRNVwTqbMKmYTBDQ/s16000/Multiple%20JavaScript%20files%20are%20employed%20to%20obfuscate%20the%20download%20URL%20(Source%20-%20Domaintools).webp) Multiple JavaScript files are employed to obfuscate the download URL (Source — Domaintools)When users interact with these deceptive sites, they receive a ZIP file containing an MSI installer.The file `flashcenter_pl_xr_rb_165892.19.zip` (SHA256: 7705ac81e004546b7dacf47531b830e31d3113e217adeef1f8dd6ea6f4b8e59b) contains the executable `svchost.13.exe`, which functions as a downloader component.This downloader retrieves encrypted payloads from command-and-control servers, specifically from URLs like `https://ffsup-s42.oduuu[.]com/uploads%2F4398%2F2025%2F06%2F617.txt`.The final payload employs [XOR encryption](https://cybersecuritynews.com/powerful-ddos-malware-attack/) with the key `0x25` to decode and execute the embedded PE file, demonstrating the campaign’s technical sophistication in evading detection while maintaining operational simplicity for widespread deployment across their extensive domain infrastructure.**Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams –> [Try ANY.RUN Now](https://any.run/demo?utm_source=csn&utm_medium=article&utm_campaign=top3_ciso_challenges&utm_content=demo_1&utm_term=160725)**The post [Chinese Threat Actors Using 2,800 Malicious Domains to Deliver Windows-Specific Malware](https://cybersecuritynews.com/chinese-threat-actors-using-2800-malicious-domains-to-deliver-windows-specific-malware/) appeared first on [Cyber Security News](https://cybersecuritynews.com).

Related Tags:
NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 52 – Finance And Insurance

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 523 – Securities

Commodity Contracts

Other Financial Investments And Related Activities

NAICS: 522 – Credit Intermediation And Related Activities

NAICS: 51 – Information

Blog: Cybersecurity News

Deobfuscate/Decode Files or Information

Ingress Tool Transfer

Associated Indicators:
ffsup-s42.oduuu.com

7705AC81E004546B7DACF47531B830E31D3113E217ADEEF1F8DD6EA6F4B8E59B

googeyxvot.top

Threat Intel Solutions

Chinese Threat Actors Using 2,800 Malicious Domains to Deliver Windows-Specific Malware

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us