Sophisticated threat actors have orchestrated a coordinated multilingual phishing campaign targeting financial and government organizations across East and Southeast Asia.
The campaign leverages carefully crafted ZIP file lures combined with region-specific web templates to deceive users into downloading staged malware droppers.
Recent analysis reveals three interconnected clusters spanning Traditional Chinese, English, and Japanese-language variants, each tailored to specific geographic and sectoral targets.
This demonstrates a deliberate shift from localized operations toward a scalable, automation-driven infrastructure capable of targeting multiple regions simultaneously with minimal adaptation.
The campaign evolved from earlier phishing waves that originally impersonated Taiwan’s Ministry of Finance, initially delivering malicious PDFs hosted on Tencent Cloud.
As threat actors refined their approach, they transitioned toward custom domains embedding regional markers such as “tw” for Taiwan, expanding their reach to Japan and Southeast Asia.
The infrastructure now employs multilingual web templates with shared backend logic, indicating either a single operator managing multiple campaigns or a distributed toolkit enabling rapid deployment across regions.
Hunt.io analysts identified the campaign through coordinated infrastructure analysis using HuntSQL-based pivoting.
Researchers discovered 28 webpages distributed across three clusters: 12 in Traditional Chinese, 12 in English, and 4 in Japanese.
Each cluster shares unified backend logic utilizing download.php and visitor_log.php scripts, indicating centralized infrastructure designed for automated payload delivery at scale.
The threat actors employ compelling social engineering lures incorporating bureaucratic, payroll, and tax-related filenames.
.webp "Threat Actors Using Multilingual ZIP File to Attack Financial and Goverment Organizations 3")
The Chinese cluster distributes archives named “Tax Invoice List” and “Financial Confirmation Form,” while the English variant uses “Tax Filing Documents” and generic compliance themes.
Japanese-language pages specifically target salary system revisions and tax agency notifications, demonstrating sophisticated understanding of regional corporate communication patterns.
Infection Mechanism and Detection Evasion
The technical implementation reveals a multi-stage infection approach designed to evade conventional email and web filters.
When users visit phishing pages, JavaScript executes visitor_log.php to record IP addresses and user-agent information, establishing tracking infrastructure for potential follow-up campaigns.
The download button remains hidden until JavaScript runs, then dynamically fetches payload details from download.php.
This approach masks the malicious intent during static analysis while ensuring valid ZIP payloads are served only when conditions match specific criteria.
The filenames themselves function as evasion mechanisms, using legitimate-sounding bureaucratic nomenclature to bypass content filters focused on malware indicators.
Archives containing staged droppers bear authentic organizational contexts—tax filings, salary notices, financial amendments—making them indistinguishable from legitimate business communications.
All phishing infrastructure resolves to Kaopu Cloud HK Limited hosting in multiple Asian locations including Tokyo, Singapore, and Hong Kong, providing geographic distribution that complicates attribution and blocking efforts.
This sophisticated combination of social engineering, dynamic payload delivery, and distributed hosting represents a significant evolution in phishing campaign infrastructure targeting enterprise environments across Asia.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
