SEO Poisoning | Dark Lab

Redirected, Taken Over, & Defaced: Breaking Down the Attacks Abusing Legitimate Hong Kong Websites

Last week, we shared our observations regarding active attacks weaponising trusted Hong Kong domains to serve users to suspicious content for SEO manipulation purposes. Collectively, we have observed over 70 cases of open redirect attacks, web defacements, and/or subdomain takeovers in Hong Kong between January and April 2025. These attacks, specifically those related to online gambling content, are observed via open-source intelligence to be part of a wider trend impacting victims across the Asia Pacific.

In this part two of the series, we dive into the technical – breaking down how these techniques work, what technologies and vulnerabilities are often involved, and how you can prevent and defend against these threats.

Read Part One here: Redirected, Taken Over, & Defaced: Legitimate Hong Kong Websites Abused to Serve Users to Online Gambling and Adult Content

Open Redirects Weaponise Trusted Hong Kong Websites

This technique is not novel by any means; open redirection first garnered attention in the early 2000s as web applications began incorporating user-controllable data into redirection targets without proper validation. When the input is improperly validated, malicious actors may exploit this vulnerability by crafting URLs that redirect users to malicious sites – leveraging the trust of the original, legitimate (sub)domain.

The typical attack flow is as follows:

Register new domain to host malicious content
Compromise legitimate, trusted domains susceptible to open redirections
Perform SEO manipulation to deliver the webpage, increasing user traffic to their malicious sites
User searches for intended site via a search engine, clicks on link shown in search results, and is redirected to the malicious site

Certain subdomains face higher risk of open redirection abuse. Login, registration, password resets, and checkout pages are a few examples. These pages naturally face higher likelihood of this abuse as redirection is an integral part of their workflows. Ensuring proper validation of redirect URLs on these pages is crucial to prevent potential exploitation.

1. Vulnerable or Misconfigured Web Applications

Threat actors often target PHP-based applications as it is one of the most widely used server-side scripting languages for web development. This allows for the ability to actively scan and exploit vulnerable PHP webapps at scale. Furthermore, PHP applications often suffer from common and easily exploitable misconfigurations that can expose servers to open redirect vulnerabilities. Part of the reason for this is that many PHP applications run on legacy code, that may not have been updated to follow modern security practices.

Case Study #1: Moodle

Notably, we have observed recurrent weaponisation of higher education domains, which we partially attribute to the fact that the widely used Moodle Learning Management System (LMS) platform is built in PHP. In the screenshots below, we highlight a recent case whereby a legitimate higher education website was abused to redirect to an illicit Indonesian online gambling site. This aligns with public reporting of an ongoing campaign targeting PHP servers with PHP backdoors and the GSocket networking tool to serve users to illicit Indonesian gambling sites.[1]

*Figure 2: edu.hk website abused to redirect to Indonesian online gambling site*

*Figure 3: edu.hk website observed to be vulnerable PHP-based Apache server*

*Figure 4: Backup redirection chains to ensure user is served to illicit gambling site*

Case Study #2: WordPress

WordPress is another popular PHP-based application that often faces open redirect vulnerabilities (e.g., CVE-2024-4704 [2]), primarily given the use of third-party plugins and insufficient patch management. Recently, we identified a Hong Kong domain redirecting to YouTube videos. We assessed the likely root cause to be exploitation of known vulnerabilities impacting PHP to allow for redirects. We posit that this redirection to YouTube videos may have been motivated by traffic monetisation; whereby the threat actor may have joined an affiliate program or ad network to generate site visits in return for payment.

*Figure 5: Open redirects weaponising .hk domain to redirect users to YouTube videos*

*Figure 6: WordPress site abused for open redirect due to PHP vulnerabilities*

Case Study #3: Vulnerable WordPress Plugin Leads to Web Defacement

Whilst malicious actors do not need to infiltrate the victim environment to compromise their website for open redirection, in some cases we do observe threat actors gain internal access to compromise – or deface – sites for SEO poisoning. In a defacement attack, malicious actors obtain unauthorised access to a website, garnering the ability to modify the website contents, as well as other malicious activities such as deploying a web shell or establishing connection with their C2 for persistence.

In late 2024, we responded to an incident whereby a financially-motivated threat actor infiltrated the victim’s site via exploitation of the WordPress plugin GutenKit (CVE-2024-9234). The threat actor weaponised the vulnerable plugin to install various PHP-based web shells, facilitating additional access to multiple subdomains within the website’s directory, and uploads of gambling-related web contents.

Based on the language indicators contained within the web shell, as well as the displayed content on the defaced subdomains, we assessed the attack was performed by an Indonesian threat actor. Notably, our analysis of the web shells suggested that the Telegram API bot was embedded within. Notably, the bot is known to facilitate SEO poisoning tactics – such as automation of tasks for an enhanced, efficient gambling experience, and affiliate marketing.[3],[4]

*Figure 7: .hk website defaced to display Indonesian gambling content*

Microsoft IIS Servers (and ASP.NET)

Microsoft Internet Information Services (IIS) servers are frequently abused for open redirections due to their widespread use, configuration complexity, and presence of legacy systems. IIS servers often host ASP.NET applications, which can be susceptible to open redirect attacks if not properly secured. This is due to ASP.NET applications typically using query strings and form data for redirection, which can be manipulated by malicious actors if not validated.

Case Study #4: IIS Server hosting PHP and ASP.NET

PHP and IIS can work together to host PHP applications on Windows servers. This is evidenced below, as we observed multiple subdomains abused to redirect users to adult content sites. We hypothesise the purpose of directing users to these sites is likely to further redirect users to phishing sites to gather personally identifiable information (PII), extort victims via cheating scandals[5], or deliver malware.

*Figure 8: Redirection link abusing PHP web applications to adult content sites*

*Figure 9: Compromised domain observed to be IIS server hosting PHP and ASP.NET applications*

2. Other issues that could lead to open redirection abuse

In addition to vulnerable or misconfigured web applications, there are alternative means in which threat actors may exploit web servers for open redirection.

Content-Security-Policy – “unsafe-allow-redirects”

Content-Security-Policy (CSP) is a HTTP security feature that allows website administrators to specify which sources of content are trusted and can be safely loaded by the browser. Unsafe-allow-redirects in a CSP allows for redirects, including HTTP status codes like 301, 302, 307, and 308, as long as the final destination complies with the CSP. This could potentially permit redirects leading to untrusted or potentially harmful sites, and is a feature that should be used with caution. To safely utilise unsafe-allow-redirects, strict whitelisting is recommended, further supplemented with ongoing monitoring and periodic audits of the overall CSP to adapt to the latest threats and ensure it remains effective.

Case Study #5: unsafe-allow-redirects

In this case, we detected a local government website abused to route traffic to adult content sites. Upon examining the impacted subdomain, we observed the unsafe-allow-redirects feature enabled. As at the time of our investigation, it was observed the redirection links had become invalid and no longer functional. However, the cached redirect meant that the links still displayed in search results – posing potential reputational damage, even if the links were no longer active.

*Figure 10: Compromised domain with unsafe-allow-redirects enabled*

Leaked FTP Credentials

In other cases, threat actors weaponise valid File Transfer Protocol (FTP) credentials to facilitate their open redirection attacks. These credentials are likely obtained via the dark web, and are leveraged to inject JavaScript code into websites. In these cases, the threat actor would possess the ability to perform additional malicious activities such as defacement or potential data exfiltration, given internal access to victim environments. In late 2022, researchers tracked a campaign weaponising legitimate websites intended for East Asian audiences to direct users to adult-themed content.[6]

Subdomain Takeover to Display Indonesian Gambling Sites

In addition to using open redirects, malicious actors have been observed to exploit expired domains for subdomain takeovers to display Indonesian gambling content. A subdomain takeover occurs when a subdomain (e.g., sub.example.com) points to a removed or deleted service, leaving the CNAME record in the Domain Name System (DNS) still active – a “dangling” DNS entry. This creates an opportunity for attackers to provide their own virtual host and host their content.

The typical attack flow is as follows:

Creation: An organisation creates a new subdomain, which is assigned a CNAME record pointing to a service (e.g., sub.example.com pointing to sub-service.provider.com).
Deprovisioning: The service is removed or deleted, but the CNAME records remains existing within the DNS, creating a “dangling” DNS entry.
Discovery: A malicious actor discovers the dangling subdomain via automated scanning tools and/or manual checks.
Takeover: The malicious actor provisions a new service with the same fully qualified domain name (FQDN) as the original (e.g., sub-service.provider.com).
Redirection: Traffic intended for the original subdomain is now redirected to the attacker’s service, allowing them to host their own content.

Case Study #6: Wix Subdomain Takeover

In early 2025, we notified a local education victim regarding the compromise of their subdomain to display Indonesian gambling content. The impacted subdomain was observed to be hosted on Wix and intended for a short-term event-related campaign; hence the eventual deprovisioning of the site.

The threat actor discovered the dangling DNS entry and proceeded to create a new Wix site displaying gambling-related content, and assigned it with the same subdomain as observed in the CNAME record ([redacted].wixdns.net). As a result, any new traffic to the subdomain would be directed to the attacker’s Wix site.

*Figure 12: Wix Site Taken Over to Display Betting Content*

Case Study #7: Azure Subdomain Takeover

In another case, we observed a subdomain pointing to an Azure service which was compromised to also display Indonesian gambling content. The attack flow remains the same; the Azure service (e.g., sub-service.azurewebsites.net) is deleted, leaving the CNAME record dangling. The attacker discovered this, and subsequently provisioned a new Azure service with the same FQDN (sub-service.azurewebsites.net).

*Figure 14: Attacker’s new Azure service*

Subdomains hosted on Azure face a relatively heightened risk of CNAME takeover. This is given the CNAME is unique – making it easier for attackers to take over the dangling DNS, whilst in the case of Wix the CNAME is not unique and attempts may not always result in a successful hijacking. Generally speaking, any services used whereby subdomains can (and are) being easily created/deleted are at risk of leaving dangling DNS records if the appropriate remediation steps are not implemented.

Conclusion

As evidenced through our ongoing monitoring, SEO poisoning attacks show no signs of slowing down. These attacks pose a significant and growing threat, primarily impacting reputational integrity, user trust, and potentially leading to legal consequences. However, the danger extends beyond these immediate risks. Attackers with internal access can escalate their malicious activities, deploying web shells, performing lateral movements, and engaging in extortion through data exfiltration or ransomware.

As these campaigns increase in frequency and sophistication, it is imperative for organisations to stay vigilant and implement robust security measures. Regular security audits and proactive configuration assessments are essential to minimize vulnerability to such attacks. By maintaining a strong security posture, organisations can protect their reputation, uphold user trust, and prevent their brand from being exploited for malicious purposes.

Why are these attacks persisting? Read Part One: Redirected, Taken Over, & Defaced: Legitimate Hong Kong Websites Abused to Serve Users to Online Gambling and Adult Content

Recommendations and Best Practices

Minimise the threat of open redirect abuse:

Prevention	Avoid user-controllable data in URLs where possible. Per OWASP’s CheatSheet to prevent unvalidated redirects and forwards[7]; – Do not allow the URL as user input for the destination. – Implement access controls to restrict unauthorised modifications – such as requiring the user to provide short name, ID, or token which is mapped server-side to a full target URL. – Appropriate checks to validate the supplied value is valid, appropriate for the application, and authorized for the user. – Sanitise input by creating an allowlist of trusted URLs (e.g., hosts or regex). – Ensure all redirects first notify users that they will be redirected to another site, clearly displaying the destination URL, and requiring the user to click a link to confirm. Detailed recommendations for validating and sanitising user-inputs here.[8]
Detection	– Deploy continuous, automated attack surface monitoring to proactively detect, validate (e.g., simulate payload injection), and remediate URLs vulnerable to open redirection attacks. – Use regular expressions (regex) patterns to scan web server logs for suspicious redirection patterns (e.g., URLs that include external domains in redirection parameters). – Implement logging and monitoring of redirection activities; analyse logs for unusual redirection patterns (e.g., frequent redirections to external sites).
Remediation Steps	If your website has fallen victim to open redirection: – Disable the affected URL(s) to prevent further abuse. – Conduct a thorough investigation to identify the vulnerability exploited and extent of the abuse. – Apply necessary patches and hardening measures to secure the website against similar attacks. – Perform an audit to ensure no other websites have been compromised. – Inform users regarding the incident and provide advice on steps taken to secure their data and the website.
Individuals’ User Awareness	Users should perform checks to validate the legitimacy of the website they are providing information to. Recognise suspicious URLs and websites: – Before clicking link, hover over the link to see the actual URL. – Check for spelling or grammatical errors in the domain name and website contents itself (e.g., brand name spelled wrong). – Ensure URL is secure (HTTPS rather than HTTP). – Trust your browser; modern browsers often warn you if you are about to visit a suspicious or known phishing site. – Use online URL scanners, such as VirusTotal, to determine if the website has been flagged as malicious. Other indicators observable from these platforms is the recency of the domain creation (e.g., newly created domains could indicate it to be phishing).
Compliance and Legal Considerations	May involve legal responsibilities related to protecting user data and preventing phishing attacks.

Minimise the threat of subdomain takeovers and defacements:

Prevention	Reduce your “low hanging fruit” through continuous attack surface monitoring to proactively identify and remediate potential entry points; – 24×7 dark web monitoring to swiftly detect and remediate compromised data (e.g., leaked credentials from infostealer dumps). – 24×7 social media listening and brand reputation monitoring to identify mentions or impersonation attempts of your organisation. – Consider an offensive approach to Threat and Vulnerability Management for real-time visibility of your attack surface through autonomous, rapid detection and remediation. – 24×7 young domain monitoring to proactively uncover potential phishing campaigns impersonating your organisation. – Regularly perform security audits and penetration tests to identify and fix misconfigurations in your web applications and servers. Ensure secure coding practices are enforced. – Maintain an up-to-date inventory and establish a prioritised patch management plan to ensure rapid patching for technologies known to be frequently abused by threat actors. – Review and harden Internet-facing applications’ access controls and safeguards (e.g., web application firewall, password policies, multi-factor authentication, etc.). – Regularly audit your DNS records to identify and remove any CNAME records pointing to deprovisioned services. – Enforce a strict policy to standardise the deprovisioning of resources (e.g., ensuring DNS entries are removed once the service is deprovisioned).
Detection	– Consider implementation of real-time monitoring of DNS changes, including updates to CNAME records, to detect and remediate any unauthorised modifications. – Consider implementation of a File Integrity Monitoring (FIM) solution on backend servers (e.g. IIS) to monitor for anomalous file modification activity (e.g. file creation, modification, or deletion). Alternatively, consider the use of canary tokens to detect for defacement attacks. For example; – Webpage monitoring – embed canary tokens within webpages. If any unauthorised modifications are detected, this will trigger an alert. – File integrity monitoring – canary tokens may be placed in critical files on your web server. If these files are accessed or altered, the token will trigger an alert.
Remediation Steps	If your website has fallen victim to a defacement: – Take the affected page offline to prevent further damage. – Conduct a thorough investigation to determine the root cause and extent of the breach. Given unauthorised access to internal environments, ensure to check for other malicious activities such as lateral movement, credential harvesting, deployment of web shells or other malware, etc. – Apply necessary patches and updates to remediate vulnerabilities. Further, refer to and implement the preventive and detective recommendations above. – Restore the webpage from your latest, clean backup. – Notify all relevant stakeholders regarding the incident and the steps being taken to address it.
Compliance and Legal Considerations	May involve legal implications such as complying with data protection regulations, notifying affected users and stakeholders, and maintaining thorough documentation to demonstrate due diligence.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Redirected, Taken Over, & Defaced: Legitimate Hong Kong Websites Abused to Serve Users to Online Gambling and Adult Content

Posted on April 14 by darklabhk

Per our continuous monitoring, Dark Lab has tracked multiple open redirection, site takeovers, and defacement cases weaponising Hong Kong organisations’ websites. Typically exploited to serve users to adult content, online gambling, and/or phishing sites, these attacks pose significant risks to organisations – including reputational damage, loss of user trust, and potential legal implications. In cases whereby attackers achieve internal access, organisations may face added risks given malicious actors’ unauthorised access to victims’ internal environments – providing opportunity to further perform malicious activities such as web shell deployment, data exfiltration, and more.

We observe this emerging trend reflected via open-source intelligence, with various reports of Search Engine Optimisation (SEO) manipulation abusing legitimate sites have been weaponised to direct users to Indonesian gambling sites. In addition, we have detected numerous newly registered domains promoting similar gambling content at scale. Per our ongoing young domain monitoring, we observed over 190 newly registered domains containing the keyword ‘slot’ in a single day. This highlights the sheer volume at which Indonesian gambling-themed sites are being distributed for financial gain.

As threat actors continuously adapt their means to attacks, it is crucial that organisations remain wary of the latest threats and harden Internet-facing assets accordingly – particularly those built on technologies frequently targeted by malicious actors.

This blog is part of a two-part series – stayed tuned for our deep dive into the technical details and how you can defend against these emerging threats.

Hong Kong Websites Abused for SEO Poisoning

SEO poisoning, otherwise known as SEO manipulation, is a technique in which malicious actors manipulate search engine rankings to make their attacker-controlled websites appear at the top of search results. Since late 2024, we have observed the emergence of open redirection and web defacement attacks against legitimate Hong Kong websites, weaponizing the trusted site to push online gambling-related and adult content. This further led to our discovery and subsequent monitoring of subdomain takeovers geared towards delivering similar content.

In Q1 2025, we tracked 34 cases of open redirection attacks – whereby malicious actors exploited (sub)domains with insufficient validation to craft URLs that redirect users to their malicious site(s):

*Note: recent tracking indicates heightened targeting against non-commercial sectors*

Similarly, throughout Q1 2025, we tracked 38 cases of web defacements against Hong Kong. Rather than redirecting unsuspecting users to an untrusted, third-party website – the attacker exploits vulnerable web servers to display their malicious content directly on the victim’s site.

Case Study: Hong Kong Not-for-Profit Webpage Compromised for Defacement AND Open Redirection to Online Gambling Content

In mid-March, we observed a case in which a local not-for-profit’s subdomain was compromised to both deface the webpage with Indian online gambling content, and further redirect to their attacker-controlled site hosting similar gambling content. Investigation into the compromised subdomain revealed the likely root cause, being its susceptibility to various known PHP-related vulnerabilities.

*Figure 1: Impacted server observed to be vulnerable to various PHP-related vulnerabilities, allowing for unsafe redirects*

*Figure 2: Defacement of not-for-profit subdomain to serve online gambling and sports betting content*

*Figure 3: Open Redirection of same subdomain to Indian online gambling site*

Why is Asia at the centre of these attacks?

Whilst we focused our tracking on abuse of Hong Kong websites, we have observed multiple recent reports of similar cases indicating an ongoing, regional abuse of websites across the wider Asia Pacific. These campaigns typically redirect users to online gambling or adult content sites. But why?

Indonesian Gambling Sites

Multiple cases we, as well as public reporting observed, served users to online gambling sites intended for the Indonesian audience. We posit this correlates to government efforts to tackle online gambling in the country following the recent October 2024 election, evidenced by their recent implementation of artificial intelligence (AI) to block illegal gambling content.[1],[2],[3]

Despite gambling bans since 1993, Indonesia faces a staggering gambling problem, largely amplified through online gambling. In 2023, the country was reported to experience an approximate loss of $30.7 billion due to online gambling – distributed across four (4) million online gamblers, 11% of which were under the age of twenty (20).[4] We posit that the SEO manipulation observed in the aforementioned cases is a means in which the online gambling operators may counteract their loss of income as a result of law enforcement takedown.

This was (and continues to be) reflected in the case of Philippines’ ban of Philippine Offshore Gaming Operators (POGOs) in late 2023. Following the demise of the POGO industry, POGO operators swiftly repurposed their infrastructure and personnel to conduct various illicit scam activities.[5],[6]In addition to the operators themselves, it was suspected that other opportunistic threat actors jumped on the bandwagon; establishing phishing sites masquerading as online gambling operators to prey on vulnerable individuals. As we projected in our 2025 Cyber Threat Landscape Predictions blog, we anticipate a continued growth in SEO campaigns pushing online gambling phishing sites amidst regional crackdown.[7]

Another angle to consider, reflected in both the cases of Indonesia and the Philippines, is that most online gambling operators are from abroad. Capitalising on the “grey area” of the laws in place, these offshore operators may bypass legal implications whilst still serving their gambling content to Indonesian and Philippine users. We observe discussion on how to achieve financial gain through this ‘loophole’ both through legitimate affiliate marketing platforms[8], and dark web discussions.

*Figure 4: Dark web discussion seeking advice for SEO strategy and Digital Marketing for “Indonesia in which casino and gambling is banned”*

*Figure 5: Dark web discussion providing “iGaming SEO tips for your casino”*

What was further observed throughout our monitoring is the frequent use of Google Tag Manager (GTM) as a driver to further enhance the SEO ranking of these online gambling sites. Operating as a free management platform intended for marketers to manage and configure marketing tools – such as AdSense and Google Analytics – it is no surprise that the actor(s) behind these sites abuse the legitimate platform to expand the visibility of their sites, and by extension increase their likelihood of return on investment.[9]

*Figure 6: Google Tag Manager tag observed embedded within online gambling sites*

Adult Content

The motives behind the regional targeting to redirect users to adult content appears less obvious. Some factors we suspect play a role in Asia’s heightened targeting is the high Internet usage, varied levels of Internet governance in the region, and cultural factors that may restrict access to such content.

We posit a number of potential motivations could be behind these attacks:

SEO Manipulation: By exploiting redirects, malicious actors may manipulate search engine rankings to drive more (inorganic) traffic to their sites.
Traffic Monetisation: By redirecting users to adult content, malicious actors may generate revenue through affiliate programs or ad networks that pay for traffic.
Malware Distribution: The malicious sites disguised as adult content may lead to malware infections (e.g., drive-by downloads, exploit kits, etc.).
Phishing: The adult content site may contain malicious advertising (malvertising) or embedded links, which may further redirect the user to phishing sites intended to collect their sensitive information.
Social Engineering Scams: A previous campaign saw adult content sites further redirect users to dating sites, intended to perform romance scams.[10]

Conclusion

SEO poisoning poses an active and increasing threat. Whilst in most cases, risks are primarily threats to reputational damage, loss of user trust, and potential legal implications, we do observe multiple instances in which attackers may inflict further harm given their internal access to victims. In these cases, they not only may perform open redirects or defacements to present their malicious content, but have the opportunity to deploy web shells, perform lateral movement, and means of extortion such as data exfiltration or ransomware deployment.

The potential follow-on impact is evidenced in the widescale campaign leveraging DragonRank malware to target victims in Asia and Europe for SEO rank manipulation.[11] Whilst the primary goal of the abuses was to drive traffic to malicious sites, the threat actors further leveraged their unauthorised access to perform lateral movement and credential harvesting, likely for use in subsequent attacks.

As these campaigns amplify in speed and scale, it is crucial that organisations remain aware of these threats and implement robust security measures to minimise susceptibility to such attacks. This includes performing regular security audits to assess and uplift configurations. By staying vigilant and proactive, organisations can safeguard their reputation, maintain the trust of their users, and ensure that their brand is not weaponised to facilitate malicious activities.

Stay tuned for our Part Two, as we delve into the technical – breaking down how these techniques work, what vulnerabilities and technologies are often involved, and how you may defend against these ever-present threats!

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Forecasting the Cyber Threat Landscape: What to Expect in 2025

Posted on January 10, 2025 by darklabhk

2024 marked a pivotal shift in the cyber threat landscape, with threat actors increasingly experimental, yet intentional in their approaches to cyberattacks. Leveraging new and emerging technologies to weaponise trust and further lower the barrier to entry for cybercriminals, we anticipate no less for 2025. Based on PwC Dark Lab’s observations throughout 2024, we share our assessment of the potentially most prevalent threats and likely emerging trends for this year.

Identities will continue to be the primary target for threat actors, resulting in a gradual rise of infostealer infections and credential sales on the dark web

Hong Kong saw a 23% rise in infostealer infections in 2024, further reflected in our incident experience, as infostealers and leaked credentials persisted as a frequent root cause in cyberattacks. We assess this growth in infostealer usage is given the wider trend observed, whereby threat actors of varying motivations have increasingly shifted focus to identity-based attacks.

Through our ongoing dark web monitoring, we observed threat actors have become increasingly deliberate in their weaponisation of infostealers – intentionally targeting specific types of data during collection. This is as reflected in the uptick of network access sales for SSH, VPN, firewall, and cloud. We posit that credentials and database sales will remain a hot commodity within the dark web marketplaces given they allow for easy entry. Furthermore, we observed that data sales are not always need to be associated with an active data breach – as we repeatedly observe threat actors farming data from organisations’ exposed libraries, directories, publicly released information, as well as historically leaked data on the dark web – to publish as a single data dump on the dark web. We posit this repurposing and collating of already available information is performed by threat actors as a means to establish their reputation on dark web hacking forums.

As witnessed in our incident experience and open-source reporting, threat actors now target individuals’ personal devices with the intention to obtain access to enterprise environments. Thiswas most recently evidenced Cyberhaven’s Chrome extension security incident, whereby a phishing attack resulted in attacker takeover of their legitimate browser extension. Replacing the extension with a tampered, maliciously-embedded update designed to steal cookies and authenticated sessions, the extension was automatically dispensed to approximately 400,000 users.[1] In a previous incident, we observed that the victim organisation was compromised as a result of an infostealer deployed on their employee’s personal, unmanaged laptop, leading to the obtaining of valid corporate credentials and subsequent corporate compromise. We anticipate that threat actors will continue to adopt new means to distribute and weaponise infostealers at mass to collect valid identities to initiate their attacks.

Cybercriminals will exploit any means to deliver malware, with Search Engine Optimisation (SEO) being a good mode for compromise – bringing potential reputational damage

Search Engine Optimisation (SEO) plays a crucial role in today’s digital society, enabling visibility and accessibility of websites to seamlessly connect users with the most relevant information. As such, it’s no surprise that SEO has become a growing driver in malicious campaigns. Be it directing users to malicious sites impersonating legitimate brands, spreading of disinformation, or compromising legitimate websites to benefit from their SEO results, threat actors have continuously refined their means to weaponise, or ‘poison’, SEO.

SEO poisoning involves the manipulation of search engine results to direct users to harmful websites. This may be achieved via the use of popular search terms and keywords to increase their sites’ ranks, mimicking of legitimate websites, typosquatting, and/or leveraging cloaking and multiple redirection techniques. Recently, we observed public reports regarding the distribution of a novel multipurpose malware, PLAYFULGHOST, distributed as a trojanised version of trusted VPN applications via SEO poisoning techniques.[2] In other cases, we observe threat actors installing ‘SEO malware’ on compromised websites – designed to perform black hat SEO poisoning, whereby search engines display the attackers’ malicious webpages as though they were contained within the legitimate, compromised website.[3]

In mid-2024, PwC’s Dark Lab have observed a sharp uptick in phishing sites masquerading as online gambling operators. Targeted against users in Southeast Asia, we assessed this is likely due to regional crackdown on online gambling – as evidenced in Philippines’ ban of Philippine Offshore Gaming Operators (POGOs). A notable instigator for the ban on POGOs was the shift into illicit scamming activities by POGOs following the impact of COVID-19 (e.g., online fake shopping, cryptocurrency, and investment scams).[4] As we observe further crackdowns within the region, we anticipate a growth in SEO campaigns pushing online gambling phishing sites, preying on unsuspecting, or vulnerable users. Furthermore, this reflects on how threat actors continue to opportunistically weaponise current events to their benefit.

Growth in identity-based attacks highlights threat of domain abuse and need for stringent governance of top-level domains (TLDs)

The topic of internet hygiene has come to our attention amidst the significant uptick in the amount malicious sites impersonating local Hong Kong brands. Globally, the landscape of domain registration has become increasingly under question due to the ease and anonymity with which domains can be purchased, facilitated by the lack of regulations surrounding Know Your Customer (KYC) processes. This has fostered a favourable environment for malicious actors to disguise their infrastructure, gaining trust via ‘reputable’ top-level domains (TLDs). Whilst some TLDs like [.]xyz and [.]biz are widely regarded as ‘untrustworthy’, we observe commonly trusted TLDs [.]com and [.]top persist as the two most abused TLDs in 2024.[5]

DNS abuse can take many forms, though ICANN defines it as; botnet, malware delivery, phishing, pharming, and spam.[6] Distributed Denial of Service (DDoS) is an example of an ever-present DNS-related threat increasingly observed in 2024, with the motivations behind these attacks being hacktivist in nature and correlating with major geopolitical events (e.g., elections, ongoing tensions). We anticipate a continuation of geopolitical-motivated DDoS attacks in 2025, as threat actors recognise the success that may be achieved through these attacks; being reputational damage and heightened visibility towards their hacktivist cause. In Q2 2024, we uncovered an active campaign masquerading as multiple local brands including Mannings and Yuu using typosquatted domain names registered to [.]top, [.]shop, and [.]vip TLDs. This campaign revealed how customised attacks against individuals are becoming; targeting of personal data now spans beyond credential harvesting – further collecting a broader set of attributes such as the device you are using, user location, behaviour patterns, and even loyalty program details. As highlighted during our 2024 Hack A Day: Securing Identity, identity is now contextual – collecting various attributes or ‘unique identifiers’ to build your holistic identity-profile.

Through PwC Dark Lab’s ongoing efforts to safeguard Hong Kong citizens, we foresee a need for more structured and regular analysis of generic TLDs (gTLDs) – e.g., [.]com, [.]top and country code TLDs (ccTLDs) – e.g., [.]com.hk, [.]hk. To proactively identify and mitigate against these active threats, we anticipate that in the longer run, governance is necessary to enforce and ensure adherence on registrars. This includes intelligence-driven ongoing detection, establishing consistent definitions, uplifting KYC validations, and appropriate procedures to handle known-bad domains. With over 96% of Hong Kong’s population (aged 10 or above) using the Internet[7], it is crucial that registrars collaborate in the collective goal to secure the internet and disrupt threat actors’ infrastructure supply.

Sophistication of social engineering scams will amplify as threat actors ‘smish’, abuse legitimate services, and weaponise automation intelligence

As organisations worldwide have invested efforts into hardening their security posture, we observe threat actors adapting their attacks to find alternative means to bypass the heightened defences. SMS phishing (“smishing”) has become increasingly tailored in response to heightened user awareness. In some cases, we have observed smishing messages no longer containing links, only phone numbers – suggesting a preference to perform voice call phishing (“vishing”) as a means of increasing their chances of success. Beyond abuse of trusted identities, we observe threat actors weaponising legitimate services to disguise their malicious traffic behind legitimate sources.

In Q4 2024, we observed an unknown threat actor leverage multiple trusted domains in Hong Kong to front their Cobalt Strike Beacon C2. Domain fronting is a technique used to disguise the true destination of Internet traffic by using different domain names in different layers of an HTTPS connection to route traffic through a legitimate and highly trusted domain. Similarly, we have observed the use of legitimate platforms such as Ticketmaster and Cloudflare to host phishing sites. In another context, our global counterparts have observed advanced persistent threat (APT) actors utilising TryCloudflare tunnels to stage malware and circumvent DNS filtering solutions. We project that threat actors will continue to experiment with different, legitimate platforms to find means to facilitate their attacks.

As observed since the emergence of ChatGPT in late 2022, generative artificial intelligence (AI) has enabled threat actors to craft highly convincing, tailored social engineering contents at scale. This was observed in 2024, as the U.S. Federal Bureau of Investigation (FBI) observed a surge in AI-driven financial fraud, leveraging GenAI to generate convincing phishing emails, social engineering scripts, and deepfake audio and video to deceive victims.[8] We predict that the application of AI by cybercriminals will expand beyond content generation to automate vulnerability exploitation, malware distribution and development, and AI-enabled ransomware. On the flipside, as the integration of AI into business processes rises, the need to secure these AI systems will continue to mount.

The ransomware landscape will continue to diversify, weaponising emerging technologies, trusted identities and services to increase their chances of success

2024 was a transformative year for the ransomware landscape, following continued disruptions of the LockBit Ransomware-as-a-Service (RaaS) operations by international law enforcement agencies, and BlackCat’s alleged exit scam. These occurrences resulted in heightened scepticism, posing an opportunity for new ransomware actors to enter the market. As new groups arise, we observe them increasingly experimental in their approaches to ransomware attacks – both through the Techniques, Tactics, and Procedures (TTPs) used and their malware offerings – diversifying the threat of ransomware.

We anticipate that 2025 will see a continuation of this trend, with an increased focus on weaponising trusted identities and legitimate services to increase their chances of success. Infostealers and Initial Access Brokers (“IABs”) will likely persist as a growing infiltration vector for ransomware affiliates, as we project increased targeting against systems likely to house sensitive information to enable rapid “smash and grab” attacks, such as cloud, Software-as-a-Service (SaaS), and file transfer platforms. Target systems for ransomware encryption are expected to further expand – as we already observed in mid-2024, with threat actors increasingly developing custom strains to target macOS and Network Attached Storage (NAS). This is evidenced in the recent discovery following the arrest of a LockBit developer that the group are working on tailored variants to target Proxmox and Nutanix; virtualisation service providers.[9]

Furthermore, we have observed discussion within the cybersecurity community regarding “quantum-proof ransomware”. As quantum computing develops, we hypothesise that ransomware operators will leverage the technology to harden their encryption processes and eliminate opportunities for victims to decrypt their data without the attacker-provided decryptors. On the other hand, we observe “harvest now, decrypt later” repeatedly referenced in these discussions, as researchers anticipate threat actors will weaponise quantum computing to enable mass decryption of previously stolen information. We further suspect that this may lead to attackers collecting and storing data from recent attacks even if unable to crack in the meantime. This poses a threat to existing victims of ransomware attacks, given the potential for ransomware actors to recover highly sensitive information and repurpose their past attack to extort victims and/or sell databases on the dark web.

Recommendations to Secure Your 2025

As we enter 2025, there is no telling with certainty what threats lie ahead. However, our experiences from 2024 have provided valuable lessons on how organisations can continue to strengthen their defences against ever-evolving threats.

Reduce your “low hanging fruit”. Monitor, minimise, and maintain visibility of your attack surface exposure to proactively identify and remediate potential security weaknesses that may expose you to external threats.
- Enforce 24×7 dark web monitoring to swiftly detect and mitigate potential threats, ensuring early detection of compromised data, i.e. leaked credentials from infostealer dumps.
- Extend 24×7 monitoring to social media listening, and brand reputation monitoring to identify mentions or impersonation attempts of your organisation, which may be indicative of potential or active targeting against your organisation.
- Adopt an offensive approach to Threat and Vulnerability Management (TVM) to achieve real-time visibility of your attack surface through autonomous, rapid detection and remediation against emerging threats.[10] This further allows for the discovery of shadow IT, which may otherwise fall under the radar and pose threats to your organisation.
- Periodically review your asset inventory, ensuring Internet-facing applications, exposed administrative ports, and non-production servers are intended to be publicly accessible, are appropriately configured, and segmented from your internal network. Ensure Internet-facing applications are regularly kept up-to-date, and prioritised in your patch management process.
- Leverage canary tokens both on the external perimeter and internal environment to detect unauthorised attempts to access your environment and/or resources. Further, leverage the canary token detection alerts to provide insight into the types of threats actively targeting your organisation and what services and/or data they seek to access.[11]

Uplift identity security and access control. 2024 showed no signs of threat actors weaponising identities, and shed light on the importance of account housekeeping and appropriate access control provisioning.
- Govern and provision appropriate access controls and permissions following the principle of least privilege for all users. Ensure access is conditional and restricted only to the resources necessary for a user to perform their job functions. This includes enforcement of strong authentication mechanisms, such as strong password policies, multi-factor authentication (MFA), role-based access controls (RBAC), and continuous behavioural-based monitoring to detect anomalous behaviour.
- Review and uplift the process for managing credentials, particularly in the case of offboarding or unused accounts. This includes timely revocation of access (termination of account), password changes for any shared accounts the employee had access to, and ensuring the offboarded member’s MFA mechanism is no longer linked to any corporate accounts.
- Log, audit, and monitor all privileged account sessions via real-time monitoring, facilitated by Privileged Access Account (PAM) and Privileged Account and Session Management (PASM) solutions.

Protect your “crown jewels”. As threat actors become increasingly intentional in the systems and data they target, it is crucial that organisations identity, classify, and secure the critical systems most likely to be targeted.
- Leverage threat intelligence and continuous monitoring of your attack surface (e.g., canary tokens) to identify the systems actively being targeted by threat actors.
- Prioritise systems hosting critical data (e.g., file transfer systems) with layered preventive and detective strategies to safeguard data (e.g., Data Loss Prevention (DLP)).Regularly perform risk assessments against critical systems to evaluate the current state of its cybersecurity posture, and harden accordingly.
- Regularly perform risk assessments against critical systems to evaluate the current state of its cybersecurity posture, and harden accordingly.
- Review and uplift the lifecycle of data, including considerations of;
  - Where data is being shared?
  - Who has access, including consideration of third-party risks posed by vendors’ access to internal data?
  - What internal policies are enforced to govern staff on the handling of data? For example, no sharing of internal data via external communication channels such as WhatsApp.

Manage your “unknown” risks. Unmanaged devices, shadow IT, and third-party risks continue to pose significant threats to organisations, introducing potential opportunities for threat actors to exploit for infiltration and/or access to your sensitive data.
- For unmanaged devices;
  - Develop a Bring Your Own Device (BYOD) policy to govern the use of personal devices allowed to access the corporate network, including guidelines to enforce use of strong passwords and encryption. Regularly perform user awareness training to ensure understanding and adherence with guidelines and best practices.
  - Consider implementation of a Mobile Device Management (MDM) or Endpoint Management solution to gain visibility and control over all devices connect to your network.
  - Isolate unmanaged devices from critical network segments to minimise potential damage and access to resources.
- For shadow IT;
  - Ensure that only authorized personnel can create and publish webpages. Use role-based access controls to limit who can make changes to corporate web assets.
  - Consider use of a Content Management System (CMS) that requires approval from dedicate personnel(s) prior to webpage launch to ensure all webpages comply with security standards.
  - Conduct regular audits to identify unauthorized webpages and monitor for any new web assets that appear without proper authorization. Use automated tools to scan for shadow IT activities.
- For third-party risks;
  - Perform thorough due diligence to vet third-party vendors and fourth-party vendors through vendor risk management and ongoing monitoring. This includes assessment of their vulnerability management processes, security controls, and incident response capabilities.
  - Implement robust vendor management program that includes regular assessments, audits, and contractual agreements that define security requirements and expectations.
  - Restrict third-party access to specific network segments, enforcing the principle of least privilege alongside stringent access controls.

Counter the threat of DNS abuse. As threat actors increasingly abuse DNS infrastructure to enhance the capabilities of their attacks, it is crucial that organisations and registrars maintain awareness of the latest threats.
- For individuals and organisations; maintain awareness of the threat of DNS abuse, including visibility of which registrars should be perceived as higher-risk, and continuous tracking of DNS-related threats.
- For registrars, we recommend reviewing and uplifting the Know Your Customer (KYC) process, and establishing continuous monitoring to proactively flag DNS abuse. Monitoring would cover DNS/WHOIS data, combined with community reports of suspicious domains (e.g., via VirusTotal, URLScan, etc.).
- For ICANN, we recommend to lead the industry; establish and enforce the governance and security key risk indicators (KRIs) on whether registrars are in compliance; what are the penalties; what are the trends of threat actors, and how the registrars and organisations should detect, respond, and recover.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Watch Out for the Adversary-in-the-Middle: WhatsApp QR Code Hijacking Targets Hong Kong and Macau Consumers

Posted on October 26, 2023 by darklabhk

PwC’s Dark Lab investigates the local WhatsApp account hijacking attacks, uncovering multiple campaigns targeting Hong Kong and Macau consumers.

Over the last few months, the community has seen a surge in attacks against individuals’ collaboration and communication applications that offers the use of mobile devices as a means of authentication. By taking over accounts on such platforms through means such as phishing, threat actors can easily gain access to personal or event-sensitive information shared across such platforms or carry out attempts to defraud legitimate business partners or contacts of individuals.

In this two-part series, we showcase two classic Adversary-in-the-Middle (AiTM) campaigns targeting Hong Kong-based victims. This blog piece provides a technical analysis and actionable steps to protect yourself against the ongoing campaign leveraging the Evil QR toolkit to hijack WhatsApp accounts locally.

Stay tuned for part two, as we share our incident response experience with a multi-stage AiTM phishing and business email compromise (BEC) attack weaponizing Evilginx and EvilProxy, leading to our discovery of the wide-scale, opportunistic campaign.

WhatsApp QR Code Hijacking Targets Hong Kong and Macau Consumers

In October 2023, we observed multiple reports of WhatsApp account hijacking cases impacting Hong Kong- and Macau-based victims. Upon successful account takeover, malicious actors have been observed to impersonate the owners of the compromised WhatsApp accounts, contacting the victim’s WhatsApp contacts to request fund transfers under the guise of their trusted relationship. Breaking down the attack, we observe that the Evil QR tool was deployed to facilitate the WhatsApp account takeovers, targeting unsuspecting victim.

Understanding how Evil QR works

Evil QR, first reported in July 2023, is a browser extension that enables attackers to exploit legitimate QR codes to intercept and steal their cookie session, providing access to the victim’s account.[1]

How Evil QR operates[2]:

The attacker open the legitimate WhatsApp Web login page (https://web.whatsapp.com/).
The attacker enables the Evil QR browser extension, which extracts the legitimate QR code from WhatsApp Web and proxies it to the Evil QR server, which hosts the attacker’s phishing page.
The attacker’s phishing page dynamically displays the latest QR code extracted from the WhatsApp Web login page.
When the unsuspecting victim visits the phishing page impersonating WhatsApp Web login and scans the QR code, the attacker successfully obtains access to the victim’s WhatsApp account.
Due to proxying, the victim will be unaware of the existence of these sessions, unless they manually check their WhatsApp settings (Settings > Linked Devices).

Figure 1: Attack path for WhatsApp account takeover using Evil QR

Weaponization of Evil QR by malicious actors

Due to the relatively simple setup of the QR code and phishing site using Evil QR, it is a highly lucrative and incentivising means for attackers to obtain access to sensitive information and perform malicious activities, as reflected in the recent surge of attacks against collaboration and communication applications.

We observe search results on Google, which indicate dedicated efforts to promote phishing sites impersonating WhatsApp to defraud unsuspecting victims. Search engine optimisation (SEO) poisoning is a technique commonly deployed by threat actors to improve the ranking of their malicious websites on search engine result pages.[3]

To improve the SEO ranking of their phishing site and deceive unsuspecting visitors of their ‘legitimacy’, threat actors may deploy an array of techniques, such as keyword stuffing, whereby threat actors overload their phishing sites with keywords in a repetitive manner to manipulate search engine rankings to assess their website has relevant content. Another common technique is typosquatting, whereby threat actors capitalise on human error by registering domains with variations of potential spelling errors, that could accidentally be typed (“typo”) by unsuspecting users (e.g. watsap web). Further, attackers commonly abuse sponsored listings and advertisements to direct users to their phishing sites.

Figure 2: Search results for the typo ‘watsapp web’

Referencing the first sponsored search result, ws6.whmejjp[.]com, we observe the domain to be actively impersonating the WhatsApp Web login webpage.

Figure 3: Screenshot of ws6.whmejjp[.]com as of 19 October 2023

Pivoting on structurally similar websites, we observe the host IP (2a06:98c1:3121:[:]3) hosting over 10,000 domains with a similar HTML structure. Based on the newly registered domains associated with the host IP, we observed multiple typosquatted domains targeting users of various gaming and communications platforms, such as Twitch, Steam, Valorant, and Telegram.

Referencing public reports of the ongoing attacks against Hong Kong consumers[4], we pivoted on the waacad[.]cyou domain which continues to display a WhatsApp Web login page.

Figure 4: Screenshot of waacad[.]cyou as of 19 October 2023

Analysing the host IP (103.71.152[.]102) for waacad[.]cyou, we observe it to be serving 14 newly registered domains within the last month starting from 22 September 2023. The domains were observed follow a similar domain naming convention, all displaying an identical WhatsApp Web phishing page.

Figure 5: Newly registered domains hosted by 103.71.152[.]102 [5]

Through further investigation of 103.71.152[.]102, we observed multiple domains created between 27 August and 1 September 2023, which appear to impersonate Sands casino. Based on observations that 103.71.152[.]102 and multiple of its hosted domains have been flagged as malicious for phishing, consistent naming conventions, contents of the WhatsApp Web phishing pages written in Chinese, and the ongoing suspected phishing campaign impersonating Sands, we assess with high confidence that the threat actor is conducted an ongoing, targeted phishing campaign against Hong Kong and Macau citizens.

Potential impact upon successful WhatsApp account takeover

Upon a successful WhatsApp account takeover, the attacker has full access to the user’s conversations and contact list. In the ongoing campaign targeting Hong Kong users, we observe the primary goal to be victim impersonation to request fund transfers from unsuspecting people who would typically trust the victim, including family, loved ones, and friends.

Figure 6: Sample of fraudulent fund transfer request via WhatsApp

Further, attackers may scan the victim’s conversation for sensitive information, such as personally identifiable information (“PII”) and shared passwords, depending on what sensitive information has been disclosed by the individual to other parties. In addition, the attacker could further leverage the account to send phishing links (“smishing”) to the victim’s contacts, to perform additional credential theft activities.

Conclusion

PwC’s Dark Lab observes that Hong Kong and Macau are being actively targeted by multiple opportunistic phishing campaigns. We strongly encourage citizens to exercise caution and awareness when interacting with untrusted sources. Refer to our recommendations below for general best practices and advice on how to detect and respond to a potential WhatsApp account takeover.

We continue to observe the cyber threat landscape evolve, with threat actors increasingly shift towards identity-based attacks not only weaponizing passwords, but sessions to maintain persistent access to compromised accounts. Stay tuned for part two, as we share key learnings from a recent incident response case involving a multi-stage AiTM phishing and business email compromise (BEC) attack.

Join us on November 7 2023 for PwC’s annual Hack A Day Conference: Register Here

Recommendations

How to detect if you are visiting a phishing website impersonating WhatsApp Web:

When searching for “WhatsApp Web” or any other website, avoid sponsored links and double check before clicking on a link for any spelling errors which could indicate it is a typosquatted (phishing) domain.
When visiting the website, while the website may appear similar to the legitimate domain, look out for the slight differences.

For example, if we compare the legitimate WhatsApp Web domain (web.whatsapp.com) with the malicious domain (waacad[.]cyou), we notice four (4) differentiators:

If you were to check the URL of the phishing page, you would immediately notice it is suspicious and unlikely to be the actual WhatsApp login page.
On the legitimate webpage, the WhatsApp logo and name exists, which is not observed on the malicious page.
The instruction wordings differ.
The legitimate webpage has a ‘Tutorial’ section with advice on ‘how to get started’. It should be noted that whilst this phishing domain does not display this section, other more convincing phishing sites could include this section to further deceive you into trusting their phishing site is legitimate.

How to check and respond if you suspect your WhatsApp account has been compromised:

1. Check and log out any unauthorised devices:

In WhatsApp, check if any unauthorised devices are logged in (Settings > Linked Devices).
For any suspicious or unknown logins, tap the device to log out. This will remove their access to your account.

2. Perform additional checks to identify any potential activities performed by the malicious actor during their access to your account:

Check archived messages to see if any conversations were archived by the malicious actor.
Check if any messages have been sent or deleted in the chat without your knowledge.
Check if any voice recordings or files were shared to your contacts.

3. Inform any of your contacts if they have been contacted by the malicious actor.

Whether your contact unknowingly sent money or not, it is important to notify them that they were communicating with the malicious actor and not you so they can remain aware and exercise caution when receiving unusual or suspicious messages from you or other contacts.

General Best Practices

Visiting websites:

Check links before clicking to validate their legitimacy (e.g. spelling errors) and always remain wary of the legitimacy of webpages and their branding.
Access websites via the global webpage as opposed to the URL shortened link if in doubt.
If you accidentally visit a phishing site,
- Do not click on any links and double check your device to see if any files were downloaded.
- If any files were downloaded, do not open it. Delete the file immediately and clear your recycling bin.
If you believe you may have fallen victim to a phishing attack,
- Monitor your email’s “sent” folder to identify any unauthorised emails that have been issued from your account. If any, alert the receiver as well as your wider contact list that you may have fallen victim to a phishing attack, so they can be on alert that incoming messages from your account may not be legitimate.
- Perform a password reset, enable multi-factor authentication (MFA), and report the suspected phishing activity immediately to your credit card issuers (and organisation if accessed the site through your work device) to monitor and restrict potentially suspicious activity.

Communication platforms:

If you have received a suspicious or unusual message from your contact requesting funds or sensitive information, exercise caution to determine if the request is legitimate. Potential signs that your contact has been compromised could include:
- Unusual nature of the request – e.g. your contact asking you to urgently send money
- Deviating from their normal typing or speaking pattern – if their message does not sound like them – it might not be them!
- Often times, malicious actors use artificial intelligence (“AI”) to generate messages, which may sound robotic or unnatural in nature. For voice messages, malicious actors may alter the AI-generated message (e.g. speeding it up or adding background noise) to attempt to make the voice message seem less robotic.
- Do not disclose sensitive information via WhatsApp or other communication channels. Whilst these channels may be encrypted, we continue to observe malicious actors attempting to perform account takeovers, granting them with full access to compromised users’ accounts.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques from the campaign:

T1583.001 – Acquire Infrastructure: Domains
T1583.008 – Malvertising
T1586 – Compromise Accounts
T1608.006 – Stage Capabilities: SEO Poisoning
T1566 – Phishing
T1189 – Drive-by Compromise

Indicators of Compromise (IoCs)

We include the observed IoCs:

IOC	Type
`clooe[.]cyou`	WhatsApp phishing site
`kkgee[.]icu`	WhatsApp phishing site
`waacad[.]cyou`	WhatsApp phishing site
`www[.]waacad[.]cyou`	WhatsApp phishing site
`clooeapp[.]cyou`	WhatsApp phishing site
`kkgegroup[.]icu`	WhatsApp phishing site
`bbhes[.]cyou`	WhatsApp phishing site
`gooe8[.]cyou`	WhatsApp phishing site
`xxeez[.]icu`	WhatsApp phishing site
`gooer[.]icu`	WhatsApp phishing site
`waacad[.]icu`	WhatsApp phishing site
`weeae[.]icu`	WhatsApp phishing site
`weeaet[.]cyou`	WhatsApp phishing site
`wyyadinc[.]icu`	WhatsApp phishing site
`bbyaysc[.]cyou`	WhatsApp phishing site
`5565m[.]vip`	Potential Sands phishing site – not flagged malicious
`5565k[.]vip`	Potential Sands phishing site – not flagged malicious
`5565v[.]vip`	Potential Sands phishing site – not flagged malicious
`5565f[.]vip`	Potential Sands phishing site – not flagged malicious
`5565t[.]vip`	Potential Sands phishing site – not flagged malicious
`5565z[.]vip`	Potential Sands phishing site – not flagged malicious
`5565c[.]vip`	Potential Sands phishing site – not flagged malicious
`5565r[.]vip`	Potential Sands phishing site – not flagged malicious
`5565i[.]vip`	Potential Sands phishing site – not flagged malicious
`5565a[.]vip`	Potential Sands phishing site – not flagged malicious
`5565p[.]vip`	Potential Sands phishing site – not flagged malicious
`5565w[.]vip`	Potential Sands phishing site – not flagged malicious
`5565g[.]vip`	Potential Sands phishing site – not flagged malicious
`5565u[.]vip`	Potential Sands phishing site – not flagged malicious
`5565e[.]vip`	Potential Sands phishing site – not flagged malicious
`5565l[.]vip`	Potential Sands phishing site – not flagged malicious
`5565d[.]vip`	Potential Sands phishing site – not flagged malicious
`5565s[.]vip`	Potential Sands phishing site – not flagged malicious
`5565j[.]vip`	Potential Sands phishing site – not flagged malicious
`5565q[.]vip`	Potential Sands phishing site – not flagged malicious
`5565x[.]vip`	Potential Sands phishing site – not flagged malicious
`5565h[.]vip`	Potential Sands phishing site – not flagged malicious
`5565o[.]vip`	Potential Sands phishing site – not flagged malicious
`ws6.whmejj[.]com`	WhatsApp phishing site
`dxweb.whasatcp[.]life`	WhatsApp phishing site
`uaa.whxmcwd.top`	WhatsApp phishing site
`103.71.152[.]102`	IP Address

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.