Ddos 
A recent report from Threat Hunting Platform – Hunt.io has exposed an ongoing phishing campaign orchestrated by GreenSpot APT, an advanced persistent threat group believed to operate from Taiwan. The group, which has been active since at least 2007, has a history of targeting Chinese government, academic, and military-related entities. In this latest campaign, GreenSpot is targeting users of 163.com, a popular free email service operated by NetEase, one of China’s largest IT companies, with the goal of stealing login credentials.
Hunt.io researchers discovered fraudulent domains registered within hours of each other, designed to mimic legitimate 163.com services. These domains include:
- mail[.]ll63[.]net (using a lowercase “L” to resemble the digit “1”)
- mail[.]eco163[.]com
These malicious domains were traced to infrastructure hosted on the Akamai Connected Cloud network in Singapore. Interestingly, the server hosting these phishing sites returned a non-standard HTTP status code of 588, which is not recognized by IANA but is reportedly used by Alibaba Cloud for “Exceeded_Quota” errors, suggesting the attackers may be using a custom response mechanism or proprietary server configuration.
One of the domains, mail[.]eco163[.]com, was found hosting a fake login page nearly identical to 163.com’s legitimate login interface. As Hunt.io notes, “The domains are crafted to impersonate the 163.com mail service. While mail[.]ll63[.]net displays a blank web page, mail[.]eco163[.]com presents a login page closely mirroring the legitimate login interface.”
When a user unknowingly enters their credentials on this spoofed page, the JavaScript code on 163nailaiba.php executes a redirection process. If the user’s email domain is detected among a list of NetEase services—including vip[.]163[.]com, vip[.]126[.]com, vip[.]188[.]com, and mail[.]yeah[.]net—they are redirected to a legitimate 163.com login page to avoid suspicion. Otherwise, the attacker can easily modify the script to redirect victims elsewhere, potentially leading to further malicious activity.
Beyond phishing login credentials, GreenSpot APT has also set up malicious download services posing as “large attachment” pages for 163.com users. These sites, likely distributed via phishing emails, use fake document download prompts to lure users into entering their credentials.
Hunt.io researchers uncovered several of these fraudulent download portals, which displayed countdown timers pressuring users to act quickly. Even after the timers expired, the files remained available for download, reinforcing the deception.
As Hunt.io explains, “Potential victims are prompted to enter their 163[.]com username and password to download the file. The first try triggers an error message—likely an attempt to confirm password accuracy. A POST request to login.js is sent on the second attempt, which captures the entered credentials, saving them via a PHP script named ‘saveData.php.’”
Once credentials are stolen, attackers can access victims’ email accounts, exfiltrate sensitive data, and potentially use the compromised accounts for further phishing attacks.
Hunt.io warns, “Although this recent campaign is confined to a specific region, it reminds us that even free email services can be targeted by advanced threat actors.”
Since many free email services rely on users to enable additional security features, organizations and individuals must proactively enhance their account protections.
Related Posts:
- Trusted Name Weaponized: Sliver and Ligolo-ng Attack Leverages Y Combinator Brand
- SparkRAT: A Persistent Cross-Platform Cyber Threat Targeting macOS and Beyond
- “The Com” Phishing Attacks Escalate, Targeting Businesses with Fake Login Pages
- New Phishing Campaign Targets AWS Accounts: Security Experts Warn
Donate