Massive WhatsApp Phishing Campaign Detected Involving 42,000 Malicious Domains

A massive phishing campaign is being conducted via WhatsApp that alerts recipients that they have won a prize and need to visit a website using the provided link to claim it. The campaign was identified by security researchers at Cyjax, who have attributed the campaign to a Chinese threat group they are tracking as Fangxiao, after they successfully deanonymized some of the domains used in the campaign and bypassed the Cloudflare protections they have implemented on their infrastructure. The researchers identified an IP address hosting a Fangxiao-controlled site since 2020 was displaying a site written in Mandarin, and an analysis of the TLS certificates used in the campaign backed up the view that this is a threat actor based in China. The campaign appears to be conducted outside of China due to the use of WhatsApp for the phishing messages, as WhatsApp is banned in China.

The threat actors are believed to be a financially motivated cybercriminal group rather than a state-sponsored threat group, which has amassed more than 42,000 unique domains since 2019, which has allowed them to scale up their campaign. Those domains are used and then rapidly dropped. The researchers note that on one day in October, the campaign used more than 300 new and unique domains.

The latest campaign uses a ‘You’ve won a prize’ lure but the group is known to use a variety of other standard tried and tested lures in their campaigns, such as COVID-19-themed messages that exploit anxiety about the pandemic. The messages are sent via WhatsApp, with the links directing the recipients to a landing page that appears to be a legitimate site of a well-known brand, complete with logos and corporate color schemes. The companies impersonated vary, with Coca-Cola, Unilever, Emirates, Knorr, and Mcdonald’s known to have been impersonated to date, along with country-specific brands such as Shopee (Singapore) and Indomie (Indonesia).

Users are directed to a series of advertising sites from which the group earns money before arriving at the final destination URL where they are told about the prize they have won. The destination URLs constantly change. After registering on the main survey site, the user is told that they must download an app in order to claim their prize, which in some cases results in the delivery of Triada malware or other malware payloads.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of