QakBot Malware IoC Analysis for 2026 | WhoisXML API
WhoisXML API identified hundreds of malicious artifacts connected to QakBot through IoC analysis. Download the threat research materials now.
Continue reading Download reportRisk Alert: "Black Cat" Cybercriminal Group Targeted Attack Campaign
Published by: China National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT) and DBAPPSecurity Co., Ltd. (https://www.dbappsecurity.com.cn/content/details4756_46730.html)
(Translated / Summarized by WXA Deep Research)
Executive Report
China's CNCERT and DBAPPSecurity uncovered a sophisticated SEO poisoning campaign by the “Black Cat” cybercrime group. Attackers pushed malicious sites to the top of search results, falsely labeled them as “official,” and tricked users into downloading trojanized installers. Once executed, these installers connected to attacker-controlled C2 servers, enabling remote and persistent control of infected devices.
- SEO Poisoning Technique: Malicious sites mimicked official software pages to rank high in searches.
- Typosquatting Domains: Attackers used “mlcrosoft” typo domains, like fyat.mlcrosoft[.]cyou and fymaimai.mlcrosoft[.]asia to deceive users.
- Shared Malicious Infrastructure: These domains resolved to 114.114.114.114 (Zenlayer IP), part of a large IP range hosting many suspicious domains.
- Infection Scale: From June 1 to July 28, 2025, about 28,800 Chinese hosts were infected, peaking at 2,328 daily. Trojans used RC4 and “IDAT” markers to unpack malware and maintain C2 connections.
Malicious Domain Infrastructure Analysis
The attackers registered multiple domains that closely resemble legitimate Microsoft sites. As noted, fyat.mlcrosoft[.]cyou and fymaimai.mlcrosoft[.]asia are the primary examples.
| Domain | Created | Register | Resolved IP | Flagged as Malware |
| fyat.mlcrosoft[.]cyou | 2025-03-25 | Gname.com | 114.114.114.114 | ✅ |
| fymaimai.mlcrosoft[.]asia | 2025-06-16 | Gname.com | 114.114.114.114 | ❌ |
CNCERT’s analysis also noted that all these look-alike domains redirected to the same IP address. The malware’s loader checked the fake domains as an initial step. In each case, the DNS lookup returned 114.114.114.114, confirming the domains are hosted together.
Building on this, WhoisXML API identified 10 Microsoft typosquatting domains hosted on the same IP address (208.91.197.91) through reverse DNS and IP geolocation. These domains are focused on impersonating the Microsoft ecosystem and employ a variety of abuse techniques.
| Domains | Impersonated Service | Risk Level | Pattern |
| microsoftnotepad.com | Microsoft Notepad | HIGH | Product impersonation |
| ipcmicrosoft.com | Microsoft IPC services | HIGH | Service prefix abuse |
| microsoftentra.id | Microsoft Entra ID | CRITICAL | Identity service abuse |
| microsoftofficesharepoint.com | Office SharePoint | CRITICAL | Office suite abuse |
| microsoftebank.com | Microsoft + Banking | HIGH | Financial impersonation |
| microsoftadobe.com | Microsoft + Adobe | MEDIUM | Brand confusion |
| microsoftsandiego.com | Microsoft + Location | MEDIUM | Geographic branding |
| microsoftaichallenge.com | Microsoft AI events | MEDIUM | Event impersonation |
| microsoftwhiteboard.com | Microsoft Whiteboard | HIGH | Product impersonation |
| microsoftai.ca | Microsoft AI services | MEDIUM | AI service abuse |
DNS and Related Infrastructure
In addition to the two main domains, the campaign involved hundreds of spoofed domains using the “mlcrosoft” typo and other Microsoft-like names. CNCERT’s IOC list includes phishing sites like www.imqqd[.]com and i4.com[.]vn, which mimicked real software pages to spread trojans. The malicious domains and C2 servers were registered around the same time. The shared IP, 114.114.114.114 (Zenlayer), hosts over 270 domains—many likely suspicious. Attackers may have used Cloudflare or similar CDNs with different nameservers to obscure their infrastructure and enhance stealth.
| Domain | IP_Address | Registration_Date | Threat_Type | ASN_Org |
| www.imqqd.com | 114.114.114.114 | 2025-06-15 | Confirmed_Phishing | AS21859_Zenlayer |
| i4.com.vn | 114.114.114.114 | 2025-06-20 | Malware_Distribution | AS21859_Zenlayer |
WHOIS history analysis provided further attribution signals tied to these malicious domains.
- imqqd.com — Historical records from 2017 list the registrant, admin, and technical contact as [email protected], associated with Maxime Sahroui of the RANQED organization, Belgium.
- tk9885.com — Historical records from 2018–2019 show the proxy email [email protected], which provides no useful attribution value.
- Expanding on this, subsequent WHOIS queries on [email protected] identified the following domain footprint:
- Currently active domains (2):
- mademore.xyz
- epqstd.xyz
- Historically linked domains (14 total):
- nodicorns.com
- wearenodicorns.com
- nodicorn.com
- imqqd.com (from IoC list)
- zweihq.xyz
- stateless.xyz
- stateless.today
- scaleout.xyz
- adonix.xyz
- rocketfee.com
- mademore.xyz
- epqstd.xyz
- epoqstudio.com
- histart.co
This clustering around a single exposed email address suggests a broader historical domain portfolio, with most registrations either expired or updated to privacy-protected WHOIS records in recent years.
Campaign Scale and Indicators
From June 1 to July 28, 2025, about 28,800 hosts in China were compromised. The infection peaked with 2,328 new hosts daily and up to 18,913 daily C2 connections. CNCERT notes the trojan uses embedded “IDAT” markers; the next 16 bytes serve as an RC4 key to decrypt the malware at run-time, making static detection difficult. Two main cases show the attack chain in detail:
- Case 1 – Fake QQ Installer: The phishing domain www.imqqd[.]com delivered a bundled installer that ran fgUSymqzvm.exe, which loaded Y6vv.dll. It checked the environment via fyat.mlcrosoft[.]cyou, decrypted a file using “IDAT” markers and RC4, then connected to xat.tk9885[.]com on port 45 for remote control.
| Phishing Sites | https://www.imqqd[.]com |
| Malicious Installer Download Link | https://www.imqqd[.]com/qq_9.9.025311.zip |
| https://windqq.oss-ap-southeast-1.aliyuncs[.]com/windo-qq.64.zip |
After unzipping:
| Filename | qqdslgj.exe |
| md5 | f86ecc767faal3fd8dc55d51878d3cc6 |
| File Format | Inno Setup Module (6.0.0) |
| Language | Delphi |
File Directory:
| Install_script.iss (Inno Setup install script) - dev-confi QQ_9.9.17.31.exe - raw-j fgUSymqzvm.exe (Load Y6vv.dll) rR40b.kw (Encrypted remote control program) Y6vv.dll (Decrypt and load rR40b.kw) |
- Case 2 – Fake Software Downloader: The phishing domain i4.com[.]vn hosted a bundled installer running stQkSAAC.exe, which loaded KpKUt8.dll. It checked the environment via fymaimai.mlcrosoft[.]asia, decrypted a file using RC4-IDAT, then connected to mm.opi6qi5k[.]com (143.92.60.214) for C2.
| Phishing Sites | i4.com[.]vn |
| Malicious Installer Download Link | https://oss12318.oss-cn-hongkong.aliyuncs[.]com/i4aisizshou06.23.09.zip |
After unzipping:
| Filename | i4aisizshou06.23.09.exe |
| md5 | 9d32902ad0d9f44e7f594d97d0fb88ab |
| File Format | Inno Setup Module (6.4.3) |
| Language | Delphi |
File directory:
| external i4Tox64.exe exeter stQkSAAC.exe (Load KpKUt8.dll) osZswz6.T0 (Encrypted remote control program) KpKUt8.dll (Decrypt and load osZswz6.T0) |
These cases confirm the multi-stage infection process (phishing site → trojan installer → loader DLL → decryption → final RAT) and identify the key infrastructure (fake domains and C2 servers).
Key Indicators of Compromise (IOCs)
Phishing Domains:
www.imqqd[.]com
i4.com[.]vn
Callback Domains:
fyat.mlcrosoft[.]cyou
fymaimai.mlcrosoft[.]asia
C2 Servers:
xat.tk9885[.]com (202.79.175.117)
mm.opi6qi5k[.]com (143.92.60.214)
Sample Hashes:
<ul>
<li>f86ecc767faa13fd8dc55d51878d3cc6</li>
<li>9d32902ad0d9f44e7f594d97d0fb88ab</li>
</ul>Defense and Mitigation Recommendations
CNCERT’s advisory emphasizes standard cybersecurity hygiene along with targeted defenses for this threat:
- Use Official Software Sources: Always download software from official sites or trusted stores, verify file hashes, and scan with antivirus to avoid SEO-poisoned links
- Beware Untrusted Links: Don’t click unknown search results or install from untrusted sites; attackers fake “official” labels.
- Deploy Endpoint Protection: Keep endpoints updated with antivirus/EDR and run regular scans to detect suspicious activity.
- Monitor DNS and Domains: Monitor for “mlcrosoft” domains and block 114.114.112.0/21 or typosquats to disrupt attackers.
- Incident Response: If malware is found, isolate the host, check for C2 communications, remove artifacts, and investigate the infection source.
Key Takeaways
The “Black Cat” SEO poisoning campaign demonstrates a highly evolved threat actor exploiting search engine trust to spread malware. Key lessons include:
- Search Engine Manipulation: Attackers boost fake sites to top search results, falsely labeled official. Don’t trust rankings blindly.
- Typosquatting at Scale: Thousands of look-alike domains around “Microsoft” were registered. Ongoing domain monitoring is vital.
- Persistent Multi-Stage Malware: Trojans used layered obfuscation (installers, loaders, RC4 encryption) to evade detection. Behavior-based detection is needed.
- Large Infection Footprint: Nearly 30,000 machines infected in 2 months shows SEO poisoning’s reach, and vigilance is crucial even for strong enterprises.