The China-based threat actor known as “Fangxiao” has created a massive network of phishing sites that impersonate well-known brands, such as Unilever, Coca-Cola, McDonald's, or Knorr, to trick users into visiting sites that deliver Android malware, or lead them to fake gift card imposter scams.

The campaign, discovered by researchers at Cyjax, exploits reputation of international, trusted brands to establish credibility with victims. Fangxiao targets businesses in multiple verticals including retail, banking, travel, pharmaceuticals, travel and energy. The researchers found more than 42,000 unique Fangxiao-controlled domains used since 2019. Currently, over 400 organizations are being spoofed, and this figure continues to rise.

Users arrive at a Fangxiao-controlled website via a link send in a message in WhatsApp that leads to a landing domain that specifies the impersonated brand. The victim is then redirected through a series of sites owned by ad companies, ending up in suspicious destinations, from Android malware to fake gift card imposter scams.

“All the landing and phishing domains are currently protected behind CloudFlare and are rotated extremely frequently. In one day in late October 2022, we identified over 300 brand new unique domains used by Fangxiao,” the researchers wrote in the report.

The threat actor has used over 24,000 landing and survey domains since the start of March 2022. At present, Fangxiao is using two Google Tag Manager codes (G-LW7434MYMN and G-5MMGBZGY1Q) which they have reused across thousands of their domains, allowing identification of other domains controlled by the group.

It was also found that the threat actor used a variety of top-level domains, mainly .top (67%) and .cn (14%) TLDs. The .top TLD is commonly associated with fraudulent behavior and is available for as little as $1.39 a year.

“This likely reflects Fangxiao’s desire to reduce costs as they scale their business to be more profitable. Purchasing and replenishing their domain pool is likely to be their biggest cost,” Cyjax said.

The researchers identified 89 different domain registrars, mostly China-based, however, the group also used well-known trusted registrars such as GoDaddy, Namecheap and Wix.

“We assess that Fangxiao is a China-based threat actor likely motivated by profit. The operators are experienced in running these kinds of imposter campaigns, willing to be dynamic to achieve their objectives, and technically and logistically capable of scaling to expand their business. The Fangxiao campaigns are effective lead generation methods which have been redirected to various domains, from malware, to referral links, to ads and adware. We attempted to find concrete evidence to link any of the payloads to the original Fangxiao campaign but were not able to do so. Despite this we can also not confirm these are separate entities,” the researchers concluded.