Backdoored Executables for Signal, Line, and Gmail Target Chinese-Speaking Users

Search engines are many users' go-to method for finding and downloading software. Messaging apps like Signal, Line, and Gmail are no exception, making them attractive targets for attackers looking to distribute malicious files. By manipulating search results, threat actors can push fraudulent sites that mimic legitimate software sources, leading unsuspecting users to download backdoored executables.

In this case, multiple fake download pages deliver backdoored executables for Signal, Line, and Gmail. However, unlike traditional phishing tactics, these domains do not attempt to mimic official software URLs. Instead, they rely on seemingly unrelated hostnames, such as ggyxx.wenxinzhineng[.]top for Gmail and linoo.wenxinzhineng[.]top for Line. The consistency across these sites and their likely reliance on search engine manipulation suggests an attempt to cast a wide net rather than specific users/organizations.

This blog post analyzes the fake webpages, the malicious files they distribute, and their network behavior. Understanding these tactics can help security teams and individuals recognize similar threats before falling victim.

Download Pages and Domain Characteristics

The observed fake download pages impersonate popular applications but do not attempt to directly mimic official URLs. Instead, they use seemingly unrelated domains, likely relying on search engine manipulation or other traffic delivery methods to draw in users. Each site delivers a ZIP file containing a Windows executable, exhibiting the same execution behavior.

All domains are hosted at 47.243.192[.]62, an Alibaba (US) Technology Co., Ltd. server in Hong Kong, indicating centralized infrastructure rather than disparate hosting.

Observed Download Pages

Signal - z1.xiaowu[.]pw

Signal is an end-to-end encrypted messaging application widely used for secure communication. The fake Signal download page hosted at z1.xiaowu.pw, mimics the official mobile download site. However, clicking the download button retrieves Sriguoe-i4.zip, a Windows executable, creating a clear mismatch between the page's appearance and the delivered file. The attacker may have assumed users would not notice the discrepancy.

Line - linoo.wenxinzhineng[.]top & linegut[.]com

Line is a widely used messaging platform, particularly popular in Japan, Taiwan, and Southeast Asia. Two domains-linoo.wenxinzhineng.top and linegut.com-host nearly identical malicious download pages, each displaying a download button.

• linoo.wenxinzhineng.top delivers Levinech-en.zip

• linegut.com previously hosted suihgkt.zip but now returns a 404 error

Gmail - ggyxx.wenxinzhineng.top

The fake Gmail page at ggyxx.wenxinzhineng[.]top is designed to appear as a minimal login page, prompting the user to enter a username. Instead of proceeding to a password entry field, the site immediately displays a Chinese-language prompt stating, "Detected no security controls installed, please install and retry!" Beneath this message, a download button is presented, delivering Goongeurut.zip.

Extracting the archive results in installing an application titled "Gmail Notifier Pro," but the user is never actually logged in, suggesting the page serves only as a lure to distribute the executable.

BitBrowser - zhiwen.wenxinzhineng[.]top

The fake page presents itself as a typical software download page, delivering a file named Biutengobiru-i4.zip. Interestingly, when attempting to switch to the English language version of the site, the user is redirected to the legitimate BitBrowser website.

This finding strengthens our assumption that Chinese-speaking users are the main target of this campaign.

Google Translate - sigkiti[.]com

Unlike the other pages in this campaign, sigkiti[.]com does not impersonate a specific application. Instead, it presents a Chinese-language Google Translate page designed to appear as a browser-based translation service. Clicking anywhere on the page triggers a popup message stating that the user is running an outdated version of Flash and must update before proceeding.

Clicking "OK" initiates a download request for flashcenter_pp_ax_install_cn.zip from ffy.yadi98[.]top. At the time of analysis, the server was unavailable, suggesting that the infrastructure was either offline or had not yet been operationalized.

File Analysis

The executables delivered through fake download pages follow a consistent execution pattern involving temporary file extraction, process injection, security modifications, and network communications. Dynamic analysis of the files suggests infostealer-like functionality, with Joe Sandbox identifying the malware as "MicroClip."

Execution Flow

1. Initial Execution & File Dropping

   • The executable (e.g., *.exe) runs from the user's desktop, spawning a temporary file in AppData\Local\Temp.

   • The dropped file (*.tmp) executes with a command-line argument referencing the original payload, consistent with
     self-extracting installers.

2. Secondary Execution & Process Injection

   • The temporary file spawns svrnezcm.exe, written to a deeply nested path in AppData\Roaming:

   • C:\Users\user\AppData\Roaming\41d8a4f\a27e8d998\445c22590\e5b2cb4562\svrnezcm.exe

   • This process is responsible for further execution and system modification.

3. System Modification via PowerShell

   • svrnezcm.exe spawns WmiApSrv.exe, which then launches PowerShell with the following command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"

   • The above command modifies Windows Defender settings, excluding the entire C;\ drive from scanning, a common technique used to evade detection.

Network Activity

1. DNS Resolution

   • The malware queries zhzcm.star1ine[.]com via 114.114.114[.]114 (China's public 114DNS service).

2. Outbound TCP Connection

   • Establishes a single TCP connection to 8.210.9[.]4 on port 45, likely for C2 communication or data exfiltration.

Host-Based Indicators

File Paths

• Temporary Execution:

• C:\Users\user\AppData\Local\Temp\is-*.tmp\*.tmp

• Dropped Payload:

• C:\Users\user\AppData\Roaming\41d8a4f\a27e8d998\445c22590\e5b2cb4562\svrnezcm.exe

Infrastructure Analysis

This campaign relies on just two servers hosted on Alibaba networks in Hong Kong. 47.243.192[.]62 resolves to malicious domains and webpages above. This server also hosted a Let's Encrypt TLS certificate with a common name of ai.wenxinzhineng[.]top, seen by our scans from 01 February 2025 to 10 February 2025. The certificate protected ports 1 and 443. No other IPs were seen sharing this certificate.

8.210.9[.]4 had no TLS certificate history according to our scan data and served port 3389, likely used for RDP.

Conclusion

This campaign demonstrates how attackers distribute backdoored executables through deceptive download pages, targeting Chinese-speaking users searching for Signal, Line, Gmail, and BitBrowser. The malware, once executed, modifies system defenses and establishes network connections before removing itself from the system.

All observed domains were hosted on a single Alibaba server, with a separate command-and-control IP also in Hong Kong. While the exact distribution method remains unclear, using non-branded, generic domains suggests a broad targeting approach rather than impersonating official vendors.

Users and network defenders should remain cautious of unofficial download sites and closely inspect suspicious domains before installing software. The indicators of compromise in this report can help detect and prevent infections, but ultimately, verifying software sources remains one of the best defenses against these threats.

Network Observables and Indicators of Compromise (IOCs)

Host Observables and Indicators of Compromise