DomainTools Investigations has released critical findings detailing the expansion of a massive malware-delivery network targeting Chinese-speaking users worldwide.
The long-running cluster, active since June 2023, has swelled to approximately 5,000 domains, with researchers identifying over 1,900 new domains between May and November 2025 alone.
This latest investigation also marks a significant milestone in defensive cybersecurity, demonstrated how agentic AI systems successfully achieved a 10x improvement in analysis speed compared to traditional manual workflows.
The threat actor behind this “super cluster” has demonstrated remarkable persistence and operational adaptability. While earlier campaigns relied on consolidated infrastructure hosted primarily on Alibaba Cloud Hong Kong, recent analysis reveals a distinct shift toward fragmentation.
Since August 2025, the operators have moved away from centralized hosting to leverage domestic Chinese registrars and randomized domain naming patterns.
This evolution is a calculated attempt to improve operational security (OPSEC) and evade detection.
Despite these efforts, the actor continues to exhibit specific operational weaknesses that allow researchers to link distinct campaigns.
Recurring patterns in Service Oriented Architecture (SOA) emails, tracking IDs used for SEO manipulation, and unique registrant names have enabled analysts to connect the 1,900 newly observed domains to the broader cluster.
The infrastructure now spans five countries and utilizes eight unique registrars, a significant increase in complexity compared to the three registrars observed in early 2025.
Agentic AI Revolutionizes Threat Hunting
To tackle the sheer volume of malicious infrastructure, researchers deployed an experimental “agentic AI” system.
Unlike standard automated scripts, this system utilizes a two-layer architecture comprising an orchestration agent and specialized sub-agents for tasks like code analysis and binary retrieval.
The results were transformative: the AI system processed over 1,900 malware delivery websites in the time traditionally required for just 200 to 400 manual investigations.
In a bulk processing test, three AI agents analyzed 2,000 domains in approximately 10 hours, averaging 1 to 10 minutes per domain depending on complexity.
This workflow allowed for deep analysis of sites heavily laden with anti-automation JavaScript and bot-detection mechanisms tasks that typically stall conventional scanners.
Unlike traditional automated tools that follow rigid scripts, the agentic system demonstrates adaptive intelligence in analyzing threats.
The AI agents successfully identified malicious code, retrieved payloads, and even generated YARA rules autonomously, fundamentally changing the economics of defense against large-scale campaigns.
Targeted Spoofing Campaigns
The cluster remains laser-focused on Chinese-speaking demographics, utilizing sophisticated spoofing of popular software to deliver trojans and credential stealers.
Analysis of the 2,393 most recent domains highlights a heavy emphasis on communication tools and VPN services, likely capitalizing on users attempting to bypass internet restrictions.
The malware is frequently delivered via large files (100–250MB) to bypass standard antivirus scanning limits.
Top Spoofed Application Categories (May–Nov 2025)
| Category | Domain Count | Share | Key Spoofed Brands |
|---|---|---|---|
| Communication Tools | 391 | 24.2% | WhatsApp, WhatsApp Web |
| VPN Services | 363 | 22.4% | LetsVPN (Kuailian), Kuailian Variants |
| Productivity | 229 | 14.2% | Google Services, Youdao, WPS Office |
| Web Browsers | 109 | 6.7% | Google Chrome |
| Crypto & Finance | 105 | 6.5% | ImToken, AICoin |
The persistence of this cluster, combined with its shift toward domestic infrastructure and complex evasion techniques, suggests it is evolving into a service platform where operators may be allowing affiliates to bring their own malware.
However, the successful deployment of agentic AI proves that defenders can now match this scale, turning the tide against high-volume threat operations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.