China-based Fangxiao group behind a long-running phishing campaign

Pierluigi Paganini November 18, 2022

A China-based financially motivated group, tracked as Fangxiao, is behind a large-scale phishing campaign dating back as far as 2019.

Researchers from Cyjax reported that a China-based financially motivated group, dubbed Fangxiao, orchestrated a large-scale phishing campaign since 2017.

The sophisticated phishing campaign exploits the reputation of international brands and targets businesses in multiple industries, including retail, banking, travel, and energy. Attackers imitated over 400 organisations, including Emirates, Singapore’s Shopee, Unilever, Indonesia’s Indomie, Coca-Cola, McDonald’s and Knorr.

The attackers use financial or physical incentives proposed via WhatsApp to trick victims into visiting a series of sites owned by advertising agencies.

Fangxiao registered more than 42,000 fake domains used to distribute malicious apps and bogus rewards.

“Users arrive at a Fangxiao controlled site through a link sent in a WhatsApp message. This message has a link to a landing domain which specifies a brand to impersonate. Fangxiao uses well-known, trusted brands to build legitimacy with victims. Attempts to reach the endpoints on the root domain without specifying a brand return a 404 error” reads the report published by the experts. “The landing domain redirects users to a main survey domain.”

These landing sites prompt the visitors to complete a survey to win prizes, and they are asked to tap on a box.

The site can require up to three taps for a “win,” a high-value gift card. To claim the prize, victims are requested to share the phishing campaign via WhatsApp to “5 groups/20 friends”.

In some cases, the Fangxiao landing pages were displaying malicious ads that if clicked from an Android device deliver the Triada malware.


“Another observed destination of this campaign is an app on the play store called “App Booster Lite – RAM Booster” with over a million downloads. It asks for highly intrusive permissions and is full of ads, with every tap on screen resulting in a hard-to-close popup ad.” continues the report.

iOS users are instead redirected to Amazon via an affiliate link, generating revenues for every purchase on the platform.

The presence of Mandarin text in a web service associated with aaPanel and time (China Standard Time) for the registration of the domains led to the attribution of the campaign to a China-linked threat actor.

“We assess that Fangxiao is a China-based threat actor likely motivated by profit. The operators are experienced in running these kinds of imposter campaigns, willing to be dynamic to achieve their objectives, and technically and logistically capable of scaling to expand their business.” concludes the report. “The Fangxiao campaigns are effective lead generation methods which have been redirected to various domains, from malware, to referral links, to ads and adware.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment