Hackers Leverage 607 Malicious Domains to Spread APK Malware with Remote Command Execution

PreCrime Labs at BforeAI discovered a complex cyber threat operation in which hackers have used a vast network of 607 rogue domains to spread fake Telegram Messenger application files (APKs) over the course of the last month.

These domains, primarily registered via the Gname registrar and hosting content in Chinese, form part of a large-scale phishing and malware campaign aimed at deceiving users into installing harmful software.

The operation leverages QR codes on these sites that redirect victims to a central domain, zifeiji[.]asia, which mimics official Telegram attributes including favicons, themes, and direct APK downloads.

This centralized redirection ensures efficient delivery of the malware, with APKs sized at approximately 60MB and 70MB, bearing MD5 hashes acff2bf000f2a53f7f02def2f105c196 and efddc2dddc849517a06b89095b344647, and SHA-1 hashes 9650ae4f4cb81602700bafe81d96e8951aeb6aa5 and 6f643666728ee9bc1c48b497f84f5c4d252fe1bc.

The phishing pages adopt a blog-like appearance, featuring Chinese-language titles such as “Paper Plane Official Website Entrance ...