Chinese Malware Campaign Uses 2,800 Domains to Target Windows Users with Financially Motivated Attacks

A highly persistent Chinese threat actor has built a sprawling infrastructure of over 2,800 malicious domains since June 2023 to distribute Windows-specific malware, primarily targeting Chinese-speaking users around the world. Operating predominantly during Chinese business hours, the campaign leverages spoofed application update prompts, fake login pages, and deceptive download sites to target users of marketing platforms, sales tools, and cryptocurrency services. Analysts have observed more than 850 new domains created since December 2024, with over 260 still actively serving malware as of June 2025—underscoring the threat actor’s focus on financial gain and credential theft.

The operation employs a multi-stage infection chain featuring JavaScript obfuscation, fake browser error messages, and ZIP files containing MSI-based downloaders. These downloaders retrieve encrypted payloads from command-and-control servers, which are then decrypted using XOR to execute embedded malware. The attackers have evolved their tactics to bypass detection by implementing anti-automation scripts, decentralizing their infrastructure, and minimizing reliance on traditional tracking tools. This long-running campaign reflects a technically adept and adaptable adversary with a strong grasp of both evasion techniques and user targeting.

cybersecuritynews.com/chinese-t…