Multilingual ZIP Phishing Campaigns Targeting Financial and Government Organizations Across Asia

Recent phishing operations across East and Southeast Asia use multilingual ZIP file lures and shared web templates to target government and financial organizations. These operations are characterized by multilingual web templates, region-specific incentives, and adaptive payload delivery mechanisms, demonstrating a clear shift toward scalable and automation-driven infrastructure.

To measure the scope, we pulled fresh data from Hunt.io using AttackCapture™ and the HuntSQL™ datasets, then correlated multilingual phishing pages across regions.

Using HuntSQL-based pivoting, we identified multiple interconnected clusters that reveal how adversaries recycle the same web components (scripts, titles, and file naming conventions) across diverse languages such as Chinese, Japanese, and English.

This research aims to trace these interconnected campaigns, map their thematic overlaps, and uncover how a single infrastructure supports a broad-spectrum phishing ecosystem targeting corporate, governmental, and financial entities throughout Asia.

Before going deeper into each cluster, here are the main findings at a glance.

Key Takeaways

• A total of 28 webpages were identified across three clusters (12 Chinese, 12 English, 4 Japanese) with shared design and functionality.

• Unified backend logic using download.php and visitor_log.php scripts indicates automated deployment.

• Language segmentation shows targeted adaptations for Chinese, English, and Japanese audiences.

• Shift from localized to multinational targeting, expanding from Taiwan, Indonesia, and China to Japan and Southeast Asia.

• Consistent use of ZIP/RAR file lures with bureaucratic, payroll, and tax-related filenames supports phishing-driven malware delivery.

• Evidence of infrastructure reuse, suggesting a single operator or toolkit maintaining multiple campaigns.

• Mapped to ATT&CK across Recon, Resource Development, Initial Access, Execution, C2, Collection, and Defense Evasion.

These overlaps align with earlier research that documented similar phishing waves in the region, providing context for how the current campaign evolved.

Background Reference

In early 2025, FortiGuard Labs documented a coordinated, multi-stage campaign that evolved from the deployment of Winos 4.0 in Taiwan to the distribution of the HoldingHands malware family across East and Southeast Asia.

Initially, phishing emails impersonating Taiwan's Ministry of Finance delivered malicious PDFs containing embedded links hosted on Tencent Cloud, using unique IDs to tie multiple payloads to the same operator. Over time, the threat actor abandoned cloud-based hosting in favor of custom domains embedding regional markers such as "tw" (for Taiwan), including twsww[.]xin, which later delivered Japanese-language ZIP payloads.

Another research by FortiGuard Labs traced a continuous lineage of activity extending from Mainland China (March 2024) to Taiwan and Japan (January-March 2025), and most recently, Malaysia. The campaigns relied on fake government or corporate documents such as tax regulations, salary adjustments, or audit notifications to trick users into executing staged malware droppers.

Building on that background, we began the hunt from a known campaign domain and used Hunt.io to pivot across webpage titles, languages, and filename themes, revealing cross-regional links between Chinese, Japanese, and English clusters.

Initial Discovery

Fortinet's blog highlighted multiple domains leveraged by threat actors for distributing malicious content across Asia. To begin with the pivoting, we have selected the domain "zxp0010w[.]vip" as the reference point to fetch the webpage information from hunt.io. The domain "zxp0010w.vip" was first and last observed on June 4, 2025, and is currently flagged for phishing activity on our platform.

Using a HuntSQL™ query, we used the crawler dataset to fetch all available fields:

SELECT 
  *
FROM 
  crawler
WHERE 
  url LIKE '%zxp0010w.vip%'
  AND timestamp > '2025-01-01';

                
Copy

Output example:

The domain "zxp0010w[.]vip" was found; this host resolved to IP address 38.54.88[.]44, which is associated with Kaopu Cloud HK Limited, a hosting provider operating under AS138915 and located in Tokyo, Japan. Open port analysis reveals SSH (port 22) running OpenBSD OpenSSH 8.0, first observed in January 2023 and still active as of October 2025, indicating a long-lived server potentially used for persistent infrastructure or remote administration.

The code analysis of website shows an HTML page titled "文件下載" (File Download) hosted on IP address 38.54.88[.]44. The webpage is written in Traditional Chinese (lang="zh-TW"), used in Taiwan.

The download button reads "Klik untuk melihat lampiran" in Indonesian, which translates to "Click to view attachment". This linguistic inconsistency suggests that the page may have been designed to target users from Taiwan and Indonesia.

The embedded script first sends a background request to visitor_log.php each time the page loads, as indicated by the comment "訪問記錄" ("visit record"), likely to log visitor information such as IP address or user agent. Secondly, it dynamically reveals the previously hidden download button and assigns its target to force_download.php, described in the comment as a "forced downloader". This setup suggests the page is designed to both track visitor activity and deliver a downloadable payload upon interaction.

That first discovery became the pivot point for a broader search, beginning with the Chinese-language cluster.

Pivoting and Cluster Analysis

Chinese Cluster

After identifying that the domain zxp0010w[.]vip hosted a webpage titled "文件下載" (File Download), we used the title as a pivot point to uncover other potentially related sites sharing the same characteristics.

A HuntSQL™ query was designed to extract all crawler records containing pages with the same title captured after January 1, 2025. The query returned 11 unique results that are related to the same phishing campaign.

SELECT 
  *
FROM 
   crawler
WHERE 
  title = '文件下載'
  AND timestamp > '2025-01-01';

                
Copy

Output example:

The eleven webpages are part of a coordinated campaign delivering staged ZIP/RAR payloads under the guise of legitimate documents. The most used language was Traditional Chinese, followed by Japanese, which strongly suggests an organized operation targeting users across Taiwan, Hong Kong, and Japan.

Moreover, the theme of filenames spotted on webpages was bureaucratic and financial, targeting East Asian organizations such as Chinese and Japanese users. The filenames include "稅務電子發票名單.rar" (Tax Invoice List), "進出口申報.zip" (Import-Export Declaration), "財務負責人核對後回傳（電腦版）1.zip" (Finance Confirmation Form), "條例檔案.zip" (Regulatory Document), "通知函.rar" (Notification Letter), "《商業登記條例修改通知書》Bilingual.PCVersion.zip" (Business Registration Amendment Notice), "香港金融管理局企業相關條例（電腦版）.zip" (Hong Kong Monetary Authority Regulations), "添付資料一覧.zip" (Attached Documents List, Japanese), and "申請平台.zip" (Application Platform).

The Chinese-language pages all use the same ZIP/RAR delivery setup and web scripts, pointing to a single kit operating across Taiwan, Hong Kong, and Japan.

After mapping the Chinese-language sites, we moved to English-language pages to check if the same web kit was reused.

English Cluster

For the second pivot, we selected the domain "gjqygs[.]cn" as the reference point to fetch the webpage information from hunt.io. The domain "gjqygs[.]cn" has been observed engaging in phishing activity, with two distinct detections recorded on June 24, 2025, and October 17, 2025, respectively.

The host was accessed over both HTTP and HTTPS, suggesting a minimal setup aimed at credential harvesting or impersonation campaigns.

Using a HuntSQL™ query, we used the crawler dataset to fetch all available fields and expand the information:

SELECT 
  *
FROM 
  crawler
WHERE 
  url LIKE '%gjqygs.cn%'
  AND timestamp > '2025-01-01'

                
Copy

Output example:

The domain gjqygs[.]cn resolves to the IP address 38.54.17[.]167, which, according to Hunt.io, is hosted by Kaopu Cloud HK Limited under ASN AS138915, and is located in Singapore. The host exposes multiple open services, including SSH (port 22) running OpenBSD OpenSSH 8.9p1 on Ubuntu, DNS (port 53), and HTTP/HTTPS (ports 80 and 443), all of which remained active as recently as October 2025.

The IP address "38.54.17[.]167" shows connections to seven other IPs across multiple regions sharing the same SSL fingerprint (3C44E66575DBACE823EF4834E8BD243737A05E66F83E0F707FA9E4C5AFA89092). These related IPs are distributed across Thailand (38.54.32[.]84, 38.54.118[.]238), Hong Kong (38.54.85[.]164, 38.60.203[.]174), Cambodia (38.54.93[.]14, 38.54.93[.]63), and the United States (38.60.162[.]151).

One of the IP addresses, 38.54.85[.]164, operated by Kaopu Cloud HK Limited under ASN AS138915 and located in Hong Kong, has been flagged in threat intelligence sources with one warning linked to the "Bulbature, beneath the waves of GobRAT" campaign.

This association suggests possible involvement in GobRAT-related activity, known for targeting Linux-based systems through remote administration tools. However, the previous Fortinet report, which served as the primary focus of our hunt, was related to Windows-based malware, and therefore does not appear to be linked to GobRAT at this stage.

The code analysis of the website shows an HTML page titled "File Download" and the language used in the webpage is English (lang="en").

Similar to the previous campaign, this webpage also contains the same "Klik untuk melihat lampiran" download button, which triggers the download of NoticeofEmployeePositionAdjustment.zip (not seen in the previous campaign).

The script dynamically fetches file information from download.php and only displays the download link if a valid .zip file is available. It checks the server's JSON response for path and latest_file, and if conditions match, it updates the link's URL and makes it visible. Otherwise, it shows messages like "No downloadable file is currently available" or "The latest file is not a ZIP archive."

To proceed further, a HuntSQL™ query is designed to extract all crawler records containing pages with the same title "File Download" captured after January 1, 2025. The query returned 11 unique results that are related to this campaign.

SELECT
  *
FROM
  crawler
WHERE
  title = 'File Download'
  AND body LIKE '%download.php%'
  AND timestamp gt '2025-01-01'

                
Copy

Output example:

The newly uncovered cluster shows consistent characteristics with previously identified campaigns delivering staged ZIP and archive payloads disguised as legitimate financial or document-related files. The webpages, primarily hosted on .vip and .sbs domains such as zcqiyess[.]vip and multiple subdomains of bulinouui[.]sbs, follow an identical structure that dynamically fetches payload details from download.php.

All the webpages used the English language in the HTML, followed by filenames including Tax Filing Documents.zip, दाखिल करने के दस्तावेज़.zip (Documents for Filing, Hindi), and Tax Return Documents.tar.gz, suggesting a thematic focus on taxation and compliance, indicating an expansion of targeting toward Southeast Asian regions.

The English-language versions reuse the same templates but switch filenames and copy to fit corporate and government themes in Southeast Asia. The final step was to confirm whether the same infrastructure produced Japanese-language versions of the campaign.

Japanese Cluster

For the third pivot, we selected the domain "jpjpz1[.]cc" as the reference point to fetch the webpage information from hunt.io. The domain jpjpz1[.]cc has been observed in two phishing detections, first on May 7, 2025, and again on October 17, 2025, indicating possible reuse of infrastructure over time.

A HuntSQL™ query is used to identify all records containing references to the domain "jpjpz1[.]cc" collected after January 1, 2025. It searches within the crawler dataset to locate any URLs where the domain appears, allowing analysts to uncover recent sightings or related infrastructure:

SELECT
  *
FROM
  crawler
WHERE
  url LIKE '%jpjpz1.cc%'
AND  timestamp gt '2025-01-01'

                
Copy

Output example:

The domain jpjpz1[.]cc resolved to IP address 38.54.50[.]212, which is operated by Kaopu Cloud HK Limited under ASN AS138915, located in Tokyo, Japan. The host exposes key services such as SSH (port 22) running OpenBSD OpenSSH 8.9p1 on Ubuntu Linux and TLS/HTTP (port 443), both active since December 2022 and observed as recently as October 2025.

The code analysis of the webpage shows an HTML page titled "ファイルダウンロード" and the webpage is written in the Japanese language (lang="ja").

The webpage contains a Japanese-language download button that lures users to "click the link below to download the file," and it initially contains a static anchor pointing to 納税申告.zip ("Tax Filing.zip") that is hidden until the page's JavaScript runs.

Similar to the previous campaign, this script uses Japanese words to handle the download and display error in case of a failed download.

From there, a HuntSQL™ query is designed to extract all crawler records containing pages with the same title "ファイルダウンロード" captured after January 1, 2025. The query returned 3 unique results that are related to this campaign.

SELECT
  *
FROM
  crawler
WHERE
  title = 'ファイルダウンロード'
  AND timestamp gt '2025-01-01'

                
Copy

Output example:

All three webpages follow an identical Japanese-language template, indicating they are part of the same Japanese-themed lure cluster tied to the broader previous campaign.

The theme of ZIP files shows bureaucratic and financial connotations crafted to deceive Japanese corporate or tax-related targets. The filenames include 給与制度見直しのご案内.zip (Notice of Salary System Review), 国税庁の審査により.zip (According to the National Tax Agency Review), and 給与制度改定のお知らせ.zip (Salary System Revision Notice).

The uniformity of structure, function, and similar naming conventions points toward a centralized infrastructure or kit deployed by an attacker that automatically generates these webpages for tricking users into downloading initial payloads.

The Japanese pages follow the same pattern, showing the kit's final adaptation for local targets and language.

Together, the three clusters reveal a single, automated phishing framework tailored for multiple Asian regions. The next section outlines how to defend against it.

Mitigation Strategies

• Proactively block all discovered domains and monitor for future domains following similar naming conventions (e.g., *.vip, *.xin, *.top, *.site).

• Researchers and security teams can use Hunt.io's datasets (like AttackCapture™ and HuntSQL™) to continuously query for newly observed phishing pages containing download.php or visitor_log.php, helping to identify early-stage infrastructure reuse.

• Detect and flag outbound HTTP requests to suspicious download.php or visitor_log.php endpoints.

• Configure mail gateways to detect ZIP/RAR attachments with HR, tax, or finance-themed filenames in phishing messages.

• Automatically sanitize downloaded or emailed archives before user access to prevent payload execution.

• Conduct awareness campaigns on phishing and fake "official" document downloads, particularly those referencing HR, finance, or government notices.

• Limit users' ability to execute scripts or compressed files from email attachments or browsers.

Implementing these actions reduces exposure to this multilingual campaign and provides a clearer view of its overall structure.

Conclusion

The multilingual phishing and document-themed campaigns uncovered through Hunt.io pivoting reveal a sophisticated, evolving infrastructure that adapts its lures and delivery mechanisms across regions and languages. From China and Taiwan to Japan and Southeast Asia, the adversaries have continuously repurposed templates, filenames, and hosting patterns to sustain their operations while evading conventional detection.

The strong overlap in domain structures, webpage titles, and scripting logic indicates a shared toolkit or centralized builder designed to automate payload delivery at scale. This investigation links multiple clusters to a unified phishing toolkit used across Asia and demonstrates how Hunt.io's HuntSQL™ pivots reveal infrastructure reuse at scale.

The following indicators summarize the infrastructure tied to this campaign and can be used for immediate blocking or enrichment. To explore similar phishing infrastructure and datasets in real time, open a free Hunt.io account or book a demo.

Indicators of Compromise (IOCs)

Root Clusters - Domains

Root Clusters - IP

Campaign Root: zxp0010w[.]vip Cluster (Traditional Chinese)

Campaign Root: gjqygs[.]cn Cluster (English / Indonesian)

Campaign Root: jpjpz1[.]cc Cluster (Japanese)

Domains and IPs - All Clusters

MITRE ATT&CK Matrix

Below is a visual map of the techniques we observed across the campaign clusters.