Chinese Threat Actors Using 2,800 Malicious Domains to Deliver Windows-Specific Malware

A sophisticated Chinese threat actor campaign has emerged as one of the most persistent malware distribution operations targeting Chinese-speaking communities worldwide.

Since June 2023, this ongoing campaign has established an extensive infrastructure comprising more than 2,800 malicious domains specifically designed to deliver Windows-targeted malware to individuals and entities both within China and internationally.

The threat actors operate with remarkable consistency during Chinese business hours, employing a multi-faceted approach that leverages fake application download sites, deceptive software update prompts, and spoofed login pages for popular services.

Their targets include users of marketing applications, business sales platforms, and cryptocurrency-related services, demonstrating a clear focus on financially motivated cybercrime and credential theft operations.

The campaign’s scope and persistence have drawn significant attention from security researchers.

DomainTools analysts identified that as of June 2025, 266 domains from over 850 created since December 2024 remained actively distributing malware, highlighting the operation’s sustained infrastructure and continuous evolution.

Recent operational changes indicate the threat actors are adapting to defensive measures by implementing anti-automation code, reducing reliance on tracking services like Baidu and Facebook, and distributing their infrastructure across more servers to avoid detection.

These modifications suggest a mature understanding of cybersecurity countermeasures and a commitment to maintaining operational effectiveness.

Multi-Stage Infection Mechanism

The malware delivery process demonstrates sophisticated technical implementation through a multi-stage infection chain.

Analysis of the domain googeyxvot[.]top reveals the actors’ use of JavaScript obfuscation to conceal download URLs and trigger fake browser compatibility errors that prompt malicious updates.

When users interact with these deceptive sites, they receive a ZIP file containing an MSI installer.

The file flashcenter_pl_xr_rb_165892.19.zip (SHA256: 7705ac81e004546b7dacf47531b830e31d3113e217adeef1f8dd6ea6f4b8e59b) contains the executable svchost.13.exe, which functions as a downloader component.

This downloader retrieves encrypted payloads from command-and-control servers, specifically from URLs like https://ffsup-s42.oduuu[.]com/uploads%2F4398%2F2025%2F06%2F617.txt.

The final payload employs XOR encryption with the key 0x25 to decode and execute the embedded PE file, demonstrating the campaign’s technical sophistication in evading detection while maintaining operational simplicity for widespread deployment across their extensive domain infrastructure.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now