Summary: A report from Threat Hunting Platform – Hunt.io highlights an ongoing phishing campaign by the GreenSpot APT, targeting users of the popular Chinese email service 163.com. The campaign features fraudulent domains designed to mimic legitimate 163.com services to steal users’ login credentials and deploy further malicious activity. Researchers uncovered sophisticated tactics, including custom server responses and deceptive download prompts aimed at tricking users into revealing sensitive information.

Affected: GreenSpot APT, users of 163.com email service

Keypoints :

• GreenSpot APT has been active since 2007, primarily targeting Chinese governmental and military entities.
• The phishing campaign uses fraudulent domains, like mail[.]eco163[.]com, that closely mimic the legitimate 163.com site.
• Attackers employ scripted redirection and deceptive download prompts to capture login credentials from unsuspecting victims.
• Phishing sites display countdown timers and prompt users to enter their credentials multiple times to increase deception.
• Stolen credentials could allow attackers to exfiltrate sensitive data and facilitate further phishing attacks.