Chinese Threat Actors Operate 2,800 Malicious Domains to Distribute Windows Malware

A sophisticated threat actor, dubbed “SilverFox,” has been orchestrating a large-scale malware distribution campaign since at least June 2023, primarily during Chinese time zone working hours.

This operation focuses on Chinese-speaking individuals and entities both within and outside China, leveraging over 2,800 newly created domains to deliver Windows-specific malware.

Chinese-Speaking Users Globally

The actor employs deceptive tactics such as fake application download sites and spurious update prompts embedded in spoofed login pages, marketing applications, business sales tools, and cryptocurrency-related apps.

These methods have remained largely consistent, facilitating the dissemination of malicious payloads designed for credential theft, financial exploitation, and potential access brokering.

As of June 2025, analysis reveals that 266 out of more than 850 domains identified since December 2024 are actively involved in malware distribution, underscoring the campaign’s sustained infrastructure and operational resilience.

Domain registration patterns provide insights into the actor’s workflow, with creation dates and first-seen DNS resolutions clustering during typical Chinese business hours.

This temporal alignment suggests a blend of automated processes and human oversight, where infrastructure acquisition transitions to operationalization such as deploying spoofed sites for malware delivery within these windows.

Such patterns not only highlight potential regional origins but also indicate opportunistic targeting of professionals in sales, marketing, and cross-border business, particularly those with Chinese language proficiency and ties to regional prospects.

In-Depth Malware Analysis

In response to prior detections, SilverFox has refined its operations, incorporating anti-automation scripts and browser emulation checks to evade site scanners and automated analysis tools.

The actor has minimized reliance on third-party trackers like Baidu, Gtag, and Facebook integrations, while dispersing domain resolutions across an expanded server footprint to reduce IP-based clustering and enhance obfuscation.

Registration details have become more discreet, stripping away identifiable markers to complicate attribution. Technical dissection of sample domains illustrates the malware delivery chain.

For instance, googeyxvot[.]top mimics a Gmail login page, deploying obfuscated JavaScript to trigger a fake browser incompatibility error upon any input, prompting a download of flashcenter_pl_xr_rb_165892.19.zip (SHA-256: 7705ac81e004546b7dacf47531b830e31d3113e217adeef1f8dd6ea6f4b8e59b).

This ZIP extracts an MSI installer (SHA-256: a48043b50cded60a1f2fa6b389e1983ce70d964d0669d47d86035aa045f4f556) containing embedded executables like svchost.13.exe (SHA-256: f1b6d793331ebd0d64978168118a4443c6f0ada673e954df02053362ee47917b) and flashcenter_pl_xr_rb_165892.19.exe (SHA-256: 1c957470b21bf90073c593b020140c8c798ad8bdb2ce5f5d344e9e9c53242556).

The former functions as a downloader, fetching encrypted payloads from https://ffsup-s42.oduuu[.]com/uploads%2F4398%2F2025%2F06%2F617.txt (SHA-256: e9ba441b81f2399e1db4b86e1fe301aaf2f11d3cf085735a55505873c71cbc6f), which employs a shellcode decoder loop with XOR key 0x25 to decrypt and execute an embedded PE file (SHA-256: 28e6c4d71b700ac93c8278ef7968e3d8f9454eff2e8df5baf2fff6acbfdf6c39).

Similarly, yeepays[.]xyz spoofs an Alipay checkout interface, using imported JavaScript from assets/js/external_load.js and assets/download/filename.js to construct a download URL for 收银台权限.exe (SHA-256: 21a0b62adc71b276a5bc8a3170ab6e315ac2c0afe8795cfeade8461f00a804d2).

Cryptocurrency-themed sites like coinbaw[.]vip redirect to fabricated sign-in pages mimicking exchanges such as Coinbase, further exemplifying the actor’s phishing arsenal.

The campaign’s financially motivated nature is evident in its opportunistic exploitation of user trust.

Modern browsers like Chrome and Edge mitigate risks through Google Safe Browsing and Microsoft Defender SmartScreen, which perform reputation checks and signature analysis to block malicious downloads. However, evolving threats necessitate user vigilance.

Recommended defenses include advanced threat protection (ATP) in email gateways, next-generation antivirus (NGAV) and endpoint detection and response (EDR) on Windows systems, DNS filtering, network segmentation, and multi-factor authentication (MFA) enforcement.

By integrating threat intelligence feeds and conducting regular phishing simulations, organizations can bolster resilience against SilverFox’s persistent operations.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now