Fangxiao: a Chinese threat actor

Phishing campaigns continue to increase globally. These operations offer an easy route for cybercriminals to generate revenue, steal credentials and spread malware.

Cyjax has recently investigated a sophisticated, large-scale phishing campaign that exploits the reputation of international, trusted brands, and targets businesses in multiple verticals including retail, banking, travel, pharmaceuticals, travel and energy.

We are tracking the threat actors behind this campaign as Fangxiao, a group which we assess with high confidence to be based in China and motivated by profit. We have discovered over 42,000 unique Fangxiao-controlled domains used since 2019 and they continue to scale. The campaign operators deploy fairly typical lures: one particularly apposite example would be how they have sought to exploit anxieties about the COVID-19 pandemic.

Fanxgiao uses various strategies to maintain anonymity: most of its infrastructure is protected behind CloudFlare, and domain names are changed regularly and quickly: on one day in October 2022 alone, the group used over 300 new unique domains.

Users arrive at a Fangxiao-controlled site through a link sent in a WhatsApp message, which in turn sends them to a landing domain impersonating a well-known, trusted brand: over 400 organisations are currently being imitated, with that number continuing to rise. Companies affected include Emirates, Singapore’s Shopee, Unilever, Indonesia’s Indomie, Coca-Cola, McDonald’s and Knorr.

Victims are then redirected to a main survey domain. When they click the link, they are sent through a series of advertising sites to one of a set of constantly changing destinations. A click on the “Complete registration” button with an Android user-agent will sometimes result in a download of the Triada malware. As victims are invested in the scam, keen to get their “reward”, and the site tells them to download the app, this has likely resulted in a significant number of infections.

Our study included searches on Shodan to deanonymize some of the domains, finding IPs and allowing us to bypass some of Cloudflare’s restrictions; we were then able to identify the IP address hosting a Fangxiao site that had been online since at least 2020. Browsing to this service showed us a page written in Mandarin. In addition, analysis of the Fangxiao TLS certificates provided an interesting insight into the behaviour of the group, further backing up our conviction that it is based in China. However, its use of WhatsApp implies targeting outside of China as the messaging service is banned by China’s Communist Party.

What should be clear from this study is that Fangxiao’s criminal actions, like those of all other cyber threat groups, are enabled by the internet infrastructure which we all rely on. As noted above, they deploy a variety of strategies to obscure their identity, such as the protection provided by CloudFlare. We all use the same platforms. It is difficult to see how this situation could be dealt with effectively and fairly, but certainly it is something which is worth consideration.

By Emily Dennison and Alana Witten

Click here for White Paper

Click here for IOCs

Scroll to Top