AI-Powered Analysis Exposes Massive 5,000-Domain Chinese Malware Operation

DomainTools Investigations has uncovered critical findings regarding the expansion of a massive malware-delivery network targeting Chinese-speaking users worldwide, which has been active since June 2023 and has grown to approximately 5,000 domains.

Between May and November 2025, researchers identified over 1,900 new domains, highlighting the cluster’s rapid growth and evolution. This investigation also marks a significant milestone in defensive cybersecurity, as it demonstrates the effectiveness of agentic AI systems in improving analysis speed by 10 times compared to traditional manual workflows.

The threat actor behind this “super cluster” has demonstrated remarkable persistence and adaptability, shifting from consolidated infrastructure hosted primarily on Alibaba Cloud Hong Kong to a more fragmented approach. Since August 2025, the operators have moved away from centralized hosting, leveraging domestic Chinese registrars and randomized domain naming patterns to improve operational security and evade detection.

Despite these efforts, the actor continues to exhibit specific operational weaknesses, allowing researchers to link distinct campaigns. Recurring patterns in Service Oriented Architecture (SOA) emails, tracking IDs used for SEO manipulation, and unique registrant names have enabled analysts to connect the 1,900 newly observed domains to the broader cluster.

The infrastructure now spans five countries and utilizes eight unique registrars, a significant increase in complexity compared to the three registrars observed in early 2025. This evolution highlights the need for advanced threat hunting capabilities to keep pace with the rapidly changing threat landscape.

Agentic AI Revolutionizes Threat Hunting

To tackle the sheer volume of malicious infrastructure, researchers deployed an experimental “agentic AI” system, which utilizes a two-layer architecture comprising an orchestration agent and specialized sub-agents for tasks like code analysis and binary retrieval. The results were transformative, with the AI system processing over 1,900 malware delivery websites in the time traditionally required for just 200 to 400 manual investigations.

In a bulk processing test, three AI agents analyzed 2,000 domains in approximately 10 hours, averaging 1 to 10 minutes per domain depending on complexity. This workflow allowed for deep analysis of sites heavily laden with anti-automation JavaScript and bot-detection mechanisms, tasks that typically stall conventional scanners.

Binary Analysis Overview.
Binary Analysis Overview.

Unlike traditional automated tools that follow rigid scripts, the agentic system demonstrates adaptive intelligence in analyzing threats. The AI agents successfully identified malicious code, retrieved payloads, and even generated YARA rules autonomously, fundamentally changing the economics of defense against large-scale campaigns.

Agent Orchestration Flow.
Agent Orchestration Flow.

Targeted Spoofing Campaigns

The cluster remains focused on Chinese-speaking demographics, utilizing sophisticated spoofing of popular software to deliver trojans and credential stealers. Analysis of the 2,393 most recent domains highlights a heavy emphasis on communication tools and VPN services, likely capitalizing on users attempting to bypass internet restrictions.

The malware is frequently delivered via large files (100–250MB) to bypass standard antivirus scanning limits. The top spoofed application categories between May and November 2025 include communication tools, VPN services, productivity software, web browsers, and crypto & finance applications.

Category Domain Count Share Key Spoofed Brands
Communication Tools 391 24.2% WhatsApp, WhatsApp Web
VPN Services 363 22.4% LetsVPN (Kuailian), Kuailian Variants
Productivity 229 14.2% Google Services, Youdao, WPS Office
Web Browsers 109 6.7% Google Chrome
Crypto & Finance 105 6.5% ImToken, AICoin

The persistence of this cluster, combined with its shift toward domestic infrastructure and complex evasion techniques, suggests it is evolving into a service platform where operators may be allowing affiliates to bring their own malware. However, the successful deployment of agentic AI proves that defenders can now match this scale, turning the tide against high-volume threat operations.

Related Articles

Back to top button