By rssfeeds-admin 
By the end of 2025, this so‑called “super cluster” will have grown to nearly 5,000 malware delivery domains, up from 2,800 reported in July.
Analysts said the operation shows an unusual mix of scale, adaptability, and operational persistence rarely seen in long-running campaigns.
Between May and November 2025 alone, 1,900 new domains were created. Earlier, the infrastructure relied almost entirely on Alibaba Cloud Hong Kong via a single registrar, WebNIC.
Recently, however, attackers diversified to eight registrars across five countries, including domestic Chinese firms such as 四川域趣网络科技有限公司.
This shift coincides with a sharp increase in fragmented domain clusters, randomized naming patterns, and shorter domain lifespans signs of improving operational security.
The domains primarily spoof legitimate software download pages, tricking users into installing trojans or credential stealers disguised as apps like WhatsApp, Signal, Chrome, and WPS Office.
Newly observed targets include VPN tools such as Kuailian and productivity suites from Google and Youdao. Over 70 percent of the sites used .cn or .com.cn top-level domains, indicating a clear China‑focused infrastructure.
Binary analysis of recovered samples revealed 47 unique malicious executables, often compressed with packers such as VMProtect or UPX to evade detection.
Some delivered files reached 100–250 MB, making them difficult for victims to analyze using free scanning services.
Despite evolving technical defenses, researchers identified recurring weaknesses, including shared SOA email addresses and tracking IDs, that helped link distinct clusters.
How AI Changed the Game
To address the scale of this campaign, DomainTools tested a new agentic AI framework to automate malware site analysis.
The system used an “orchestrator” layer and specialized sub‑agents, such as ScannerAgent, CodeAnalyzerAgent, and BinaryAnalyzerAgent, to coordinate workflows and automatically generate YARA detection rules.
This experiment increased analysis throughput by a factor of 10. While a human analyst could manually assess about 200 to 400 sites in a typical period, the AI system processed over 1,900 malware-delivery websites with consistent accuracy and efficiency.
On average, each analysis took 1–10 minutes per domain, depending on the website’s complexity and the size of the malware.
Although the AI agents required considerable computing power, the approach marked a turning point in cyber defense, showing that intelligent automation can finally match the speed and scale of modern threat-actor operations.
DomainTools researchers call it a glimpse of the AI‑driven future of cybersecurity, where analysts and automation work hand‑in‑hand to counter sprawling digital campaigns.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Inside the Rise of a 5,000-Domain Chinese Malware Empire and the AI Tech That Finally Caught Up appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.