Campaign Distributing Chinese Language Trojanized Installers

    Thursday, March 20, 2025 In: Threat Research Print

    Date: 03/20/2025

    Severity: High

    Summary

    A campaign in February and March 2025 registered over 2,000 malicious domains to distribute trojanized installers disguised as Chinese language software, including DeepSeek AI Assistant, i4Tools, and Youdao Dictionary. While the installers appear legitimate, they infect Windows hosts with malware, potentially Ghost RAT (gh0st RAT). The campaign primarily targets users in the United States and China, with the Professional and Legal Services industries being the most affected.

    Indicators of Compromise (IOC) List

    URL/Domain

    deep-seek.bar

    deep-seek.bond

    deep-seek.cfd

    deep-seek.qpon

    deep-seek.rest

    i4toolsearch.vip

    i4toolssddsl.top

    i4toolssddzp.top

    i4toolssddzq.top

    i4toolssddzr.top

    i4toolssddzt.top

    i4toolssddzu.top

    i4toolssddzw.top

    i4toolssddzy.top

    i4toolssffna.top

    i4toolssffnd.top

    i4toolssffnf.top

    i4toolssffng.top

    i4toolssffnh.top

    i4toolssffnj.top

    i4toolssffnl.top

    youdaohhnf.top

    youdaohhsh.top

    youdaohhvw.top

    youdaohhvy.top

    youdaohhxf.top

    youdaohhzi.top

    youdaohhzy.top

    xiaobaituziha.com

    https://xiazailianjieoss.com/baidu/deepseek_release_X64.zip

    https://xiazailianjieoss.com/i4Tools8_v8.33_Setup_x64.zip

    https://xiazailianjieoss.com/YoudaoDictSetup.zip

    https://i4toolssddzp.top/i4Tools8_v8.33_Setup_x64.zip

    https://i4toolssddzq.top/i4Tools8_v8.33_Setup_x64.zip

    https://i4toolssddzr.top/i4Tools8_v8.33_Setup_x64.zip

    https://i4toolssddzt.top/i4Tools8_v8.33_Setup_x64.zip

    https://i4toolssddzu.top/i4Tools8_v8.33_Setup_x64.zip

    https://i4toolssddzw.top/i4Tools8_v8.33_Setup_x64.zip

    https://i4toolssddzy.top/i4Tools8_v8.33_Setup_x64.zip

    https://i4toolssffna.top/i4Tools8_v8.33_Setup_x64.zip

    https://i4toolssffnd.top/i4Tools8_v8.33_Setup_x64.zip

    https://i4toolssffnf.top/i4Tools8_v8.33_Setup_x64.zip

    https://i4toolssffng.top/i4Tools8_v8.33_Setup_x64.zip

    https://i4toolssffnh.top/i4Tools8_v8.33_Setup_x64.zip

    https://i4toolssffnj.top/i4Tools8_v8.33_Setup_x64.zip

    https://i4toolssffnl.top/i4Tools8_v8.33_Setup_x64.zip

    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741001373486/7.txt

    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741012778019/3.txt

    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741071075846/3.txt

    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741277757095/3.txt

    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741437627318/3.txt

    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741507677489/4.txt

    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741598298161/3.txt

    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741766977268/4.txt

    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741854013752/4.txt

    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1742300995084/3.txt

    IP Address 

    154.82.84.227

    156.251.25.43

    156.251.25.112

    103.181.134.138

    Hash

    61bb32673e33c7aa1a0825e18629880b4d870fdeb4666d8b0ca954866d110a07

    c37d0c9c9da830e6173b71a3bcc5203fbb66241ccd7d704b3a1d809cadd551b2

    7a4d5219956854db9581c98d9cee7d6ebe61c5498988ec2655cd80f3548f7bed

    af1a08578a5ebb02835cf10a9a45393349bcaa2caa6eb9e823e7fc08db37da66

    23a96252ba2a3cff76158fa598f4de904780f24fbbd426f36258077628e8cfc2

    d9efd833d31365c25bc10bb2a34845add5ff89bd660da1d9405dea82d035a308

    33414abc9d5d4767a2612f85fe3b0555f3cbef646163ef3d1d9ddb753df5efbf

    1a13dc5488612aff33c3ad378d6b06b76551a2c6defb30b132547a633df03076

    d44603abdcd6a4eb3283d5d4be88b93cc359d6f0efaccfd546c10e3349ccb4ed

    e5d6f7138fcccd1a579d681ef354c4660deab3c216f3db1a330a8212d99fbea1

    0076f6ea4346af5ae43db08205664092029e06bb353e3406ee649e98723182eb

    1395627eca4ca8229c3e7da0a48a36d130ce6b016bb6da750b3d992888b20ab8

    299e6791e4eb85617c4fab7f27ac53fb70cd038671f011007831b558c318b369

    45c62ebe5cd2441ca25a86ddc7023bc938c8d47f12ea626d5245875bf0a13c02

    77c12dcdacd58f1f0cbf032fcf52b18aa06cd30c8a763a4dd3b2216f9c78e9a4

    c333e4ed8e0d5c3b1f26fa12f51a1dc66db4cca344a646061e2c95f305560aa9

    2232612b09b636698afcdb995b822adf21c34fb8979dd63f8d01f0d038acb454

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741277757095/3.txt" or url like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741277757095/3.txt" or userdomainname like "youdaohhvy.top" or url like "youdaohhvy.top" or userdomainname like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741854013752/4.txt" or url like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741854013752/4.txt" or userdomainname like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741071075846/3.txt" or url like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741071075846/3.txt" or userdomainname like "deep-seek.bar" or url like "deep-seek.bar" or userdomainname like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741507677489/4.txt" or url like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741507677489/4.txt" or userdomainname like "deep-seek.rest" or url like "deep-seek.rest" or userdomainname like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741437627318/3.txt" or url like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741437627318/3.txt" or userdomainname like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741001373486/7.txt" or url like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741001373486/7.txt" or userdomainname like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1742300995084/3.txt" or url like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1742300995084/3.txt" or userdomainname like "deep-seek.bond" or url like "deep-seek.bond" or userdomainname like "deep-seek.cfd" or url like "deep-seek.cfd" or userdomainname like "deep-seek.qpon" or url like "deep-seek.qpon" or userdomainname like "i4toolsearch.vip" or url like "i4toolsearch.vip" or userdomainname like "i4toolssddsl.top" or url like "i4toolssddsl.top" or userdomainname like "i4toolssddzp.top" or url like "i4toolssddzp.top" or userdomainname like "i4toolssddzq.top" or url like "i4toolssddzq.top" or userdomainname like "i4toolssddzr.top" or url like "i4toolssddzr.top" or userdomainname like "i4toolssddzt.top" or url like "i4toolssddzt.top" or userdomainname like "i4toolssddzu.top" or url like "i4toolssddzu.top" or userdomainname like "i4toolssddzw.top" or url like "i4toolssddzw.top" or userdomainname like "i4toolssddzy.top" or url like "i4toolssddzy.top" or userdomainname like "i4toolssffna.top" or url like "i4toolssffna.top" or userdomainname like "i4toolssffnd.top" or url like "i4toolssffnd.top" or userdomainname like "i4toolssffnf.top" or url like "i4toolssffnf.top" or userdomainname like "i4toolssffng.top" or userdomainname like "i4toolssffnh.top" or url like "i4toolssffnh.top" or userdomainname like "i4toolssffnj.top" or url like "i4toolssffnj.top" or userdomainname like "i4toolssffnl.top" or url like "i4toolssffnl.top" or userdomainname like "youdaohhnf.top" or url like "youdaohhnf.top" or userdomainname like "youdaohhsh.top" or url like "youdaohhsh.top" or userdomainname like "youdaohhvw.top" or url like "youdaohhvw.top" or userdomainname like "youdaohhxf.top" or userdomainname like "youdaohhzi.top" or url like "youdaohhzi.top" or userdomainname like "youdaohhzy.top" or url like "xiaobaituziha.com" or userdomainname like "https://xiazailianjieoss.com/baidu/deepseek_release_X64.zip" or url like "https://xiazailianjieoss.com/baidu/deepseek_release_X64.zip" or userdomainname like "https://xiazailianjieoss.com/i4Tools8_v8.33_Setup_x64.zip" or url like "https://xiazailianjieoss.com/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://xiazailianjieoss.com/YoudaoDictSetup.zip" or url like "https://xiazailianjieoss.com/YoudaoDictSetup.zip" or userdomainname like "https://i4toolssddzp.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssddzp.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://i4toolssddzq.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssddzq.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://i4toolssddzr.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssddzr.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://i4toolssddzt.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssddzt.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://i4toolssddzu.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssddzu.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://i4toolssddzw.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssddzw.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://i4toolssddzy.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssddzy.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://i4toolssffna.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssffna.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://i4toolssffnd.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssffnd.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://i4toolssffnf.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssffnf.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://i4toolssffng.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssffng.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://i4toolssffnh.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssffnh.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://i4toolssffnj.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssffnj.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://i4toolssffnl.top/i4Tools8_v8.33_Setup_x64.zip" or url like "https://i4toolssffnl.top/i4Tools8_v8.33_Setup_x64.zip" or userdomainname like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741012778019/3.txt" or url like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741012778019/3.txt" or userdomainname like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741598298161/3.txt" or url like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741598298161/3.txt" or userdomainname like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741766977268/4.txt" or url like "https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741766977268/4.txt"

    Detection Query 2

    dstipaddress IN ("154.82.84.227","156.251.25.112","156.251.25.43","103.181.134.138") or ipaddress IN ("154.82.84.227","156.251.25.112","156.251.25.43","103.181.134.138") or publicipaddress IN ("154.82.84.227","156.251.25.112","156.251.25.43","103.181.134.138") or srcipaddress IN ("154.82.84.227","156.251.25.112","156.251.25.43","103.181.134.138")

    Detection Query 3

    sha256hash IN ("61bb32673e33c7aa1a0825e18629880b4d870fdeb4666d8b0ca954866d110a07","299e6791e4eb85617c4fab7f27ac53fb70cd038671f011007831b558c318b369","2232612b09b636698afcdb995b822adf21c34fb8979dd63f8d01f0d038acb454","c37d0c9c9da830e6173b71a3bcc5203fbb66241ccd7d704b3a1d809cadd551b2","0076f6ea4346af5ae43db08205664092029e06bb353e3406ee649e98723182eb","33414abc9d5d4767a2612f85fe3b0555f3cbef646163ef3d1d9ddb753df5efbf","1a13dc5488612aff33c3ad378d6b06b76551a2c6defb30b132547a633df03076","23a96252ba2a3cff76158fa598f4de904780f24fbbd426f36258077628e8cfc2","1395627eca4ca8229c3e7da0a48a36d130ce6b016bb6da750b3d992888b20ab8","c333e4ed8e0d5c3b1f26fa12f51a1dc66db4cca344a646061e2c95f305560aa9","d9efd833d31365c25bc10bb2a34845add5ff89bd660da1d9405dea82d035a308","7a4d5219956854db9581c98d9cee7d6ebe61c5498988ec2655cd80f3548f7bed","af1a08578a5ebb02835cf10a9a45393349bcaa2caa6eb9e823e7fc08db37da66","d44603abdcd6a4eb3283d5d4be88b93cc359d6f0efaccfd546c10e3349ccb4ed","e5d6f7138fcccd1a579d681ef354c4660deab3c216f3db1a330a8212d99fbea1","45c62ebe5cd2441ca25a86ddc7023bc938c8d47f12ea626d5245875bf0a13c02","77c12dcdacd58f1f0cbf032fcf52b18aa06cd30c8a763a4dd3b2216f9c78e9a4")

    Reference:  

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-19-IOCs-for-Chinese-Language-trojanized-installers.txt


    Tags

    MalwareGhostRATTrojanDeepSeekChinaUnited States

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.