{
	"id": "a58eeb5b-c959-4df5-bef1-29eefed7024a",
	"created_at": "2026-04-06T00:12:58.202474Z",
	"updated_at": "2026-04-10T03:32:45.891222Z",
	"deleted_at": null,
	"sha1_hash": "6b911c5641f6a9a32628bb3801fb18b314bcbf0b",
	"title": "Inside Intelligence Center: Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1826981,
	"plain_text": "Inside Intelligence Center: Financially Motivated Chinese Threat Actor\r\nSilkSpecter Targeting Black Friday Shoppers\r\nArchived: 2026-04-02 11:46:50 UTC\r\nExecutive Summary\r\nIn early October 2024, EclecticIQ analysts uncovered a phishing campaign that targets e-commerce shoppers in Europe and\r\nUSA, looking for Black Friday discounts. Analysts assess with high confidence that it was very likely orchestrated by a\r\nChinese financially motivated threat actor, analysts dubbed as SilkSpecter. The campaign leveraged the heightened online\r\nshopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products\r\nas phishing lures to deceive victims into providing their Cardholder Data (CHD) [1] and Sensitive Authentication Data\r\n(SAD) [2] and Personally Identifiable Information (PII).\r\nFigure 1 – Graph view for SilkSpecter activities in\r\nEclecticIQ's threat intelligence platform, Intelligence Center\r\n(click on the image to enlarge).\r\nThreat actor SilkSpecter targeted victims' Cardholder Data (CHD) by leveraging the legitimate payment processor Stripe [3].\r\nThis tactic allowed genuine transactions to be completed while covertly exfiltrating sensitive CHD to a server controlled by\r\nthe attackers. SilkSpecter enhanced the phishing site’s credibility by using Google Translate to dynamically adjust the\r\nwebsite's language based on each victim’s IP location, making it appear more convincing to an international audience.\r\nEclecticIQ analysts observed that prior to November 2024, SilkSpecter had launched similar phishing campaigns, all linked\r\nto a Chinese Software as a Service (SaaS) platform named oemapps [4]. Analysts assess with high confidence that oemapps\r\nvery likely enables SilkSpecter to quickly create convincing fake e-commerce sites targeting unsuspecting users. These\r\nphishing domains predominantly use the .top, .shop, .store, and .vip top-level domains (TLDs), often typosquatting\r\nlegitimate e-commerce organizations' domain names to deceive victims.\r\nTracking Black Friday Themed Phishing Domains with EclecticIQ Intelligence Center\r\nAnalysts used the EclecticIQ Intelligence Center to uncover a pattern among Black Friday-themed phishing domains that\r\nwas very likely linked to the SilkSpecter threat actor.\r\nhttps://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers\r\nPage 1 of 7\n\nFigure 2 – Uncovering the pattern among Black Friday-themed phishing pages.\r\nEach phishing page included \"trusttollsvg,\" a deceptive icon designed to give the appearance of a trusted site, and a\r\n\"/homeapi/collect\" endpoint that informed attackers whenever a victim clicked or opened the URL - tracking the phishing\r\ncampaign’s success in real-time [5]. These distinct elements became crucial indicators, enabling analysts to identify\r\nadditional discount-themed phishing domains associated with the SilkSpecter activity cluster.\r\nAnalyzing the SilkSpecter’s Phishing Kit \r\nSilkSpecter’s phishing pages lured victims with a convincing Black Friday discount theme, often promoting an \"80% off\"\r\noffer to entice e-commerce shoppers into believing they were accessing exclusive deals. Once victims landed on the page,\r\nthe phishing kit deployed several website trackers, including OpenReplay [6], TikTok Pixel [7], and Meta Pixel [8], to\r\nmonitor the effectiveness of the attacks by collecting detailed activity logs from each visitor.\r\nFigure 3 – Black Friday-themed phishing page with fake “Trusted Store” icon.\r\nThe phishing kit also captured key browser metadata, such as IP addresses, geolocation, browser type, and OS details. Using\r\nthis information, the page is dynamically translated into the victim's language through Google Translate APIs, further\r\nincreasing its authenticity.  \r\n \r\nhttps://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers\r\nPage 2 of 7\n\nFigure 4 – Victim's browser metadata sent over another remote server\r\nlikely managed by the attacker.\r\nVictims entering their Personally Identifiable Information (PII) and banking details (CHD and SAD) for a fake discounted\r\nitem submitted their information through Stripe, a legitimate payment service that SilkSpecter abused to process real\r\ntransactions. After a payment was made, the phishing kit exfiltrated all entered details to an attacker-controlled server. \r\nFigure 5 – Payment prompt screen on phishing page that uses Stripe. \r\nVictims were also prompted to enter their phone numbers before completing their purchases. EclecticIQ analysts assess with\r\nmedium confidence that this information could likely be leveraged in a second stage of the attack if SilkSpecter chooses to\r\nexploit the compromised credit or debit card details for financial fraud. The phone numbers could enable attackers to\r\nconduct vishing (voice phishing) or smishing (SMS phishing) attacks, deceiving victims into providing additional sensitive\r\ninformation, such as 2FA codes, personal identification details, or even account credentials. \r\nBy impersonating trusted entities, such as financial institutions or well-known e-commerce platforms, SilkSpecter could\r\nvery likely circumvent security barriers, gain unauthorized access to victim's accounts, and initiate fraudulent\r\ntransactions. After the victim initiates a payment request over Stripe´s APIs on the phishing website, the site covertly records\r\nthe entire session and transmits the banking details to an external server hosted at longnr[.]com/payment/event-log[.]php.\r\nThese additional requests, as seen in the intercepted traffic, indicate that the site is not only processing the payment through\r\nlegitimate-looking means but is also capturing sensitive information, including card details, and relaying them to a separate\r\nserver controlled by the attacker. This technique highlights how the phishing site is abusing legitimate APIs while\r\nsimultaneously gathering and exfiltrating critical financial information.\r\n \r\nhttps://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers\r\nPage 3 of 7\n\nFigure 6 – Payment details exfiltrated over the attacker-controlled remote domain.\r\nAnalysts assess with medium confidence that SilkSpecter likely distributed these phishing URLs through social media\r\naccounts and search engine optimization (SEO) poisoning, leveraging a Black Friday discount theme as social engineering\r\nbait to deceive unsuspecting online shoppers.\r\nAttribution to Chinese Threat Actor SilkSpecter\r\nEclecticIQ analysts assess with high confidence that SilkSpecter is very likely a Chinese threat actor. This attribution is\r\nbased on multiple indicators observed across several phishing campaigns:\r\nLanguage Indicators:\r\n•    Each phishing page contained JavaScript code with Mandarin comments, suggesting the involvement of a Chinese-speaking developer.\r\n•    The \"zh-CN\" language tag in the HTML code strongly suggests that the phishing sites were developed by Chinese-speaking individuals.\r\nFigure 7 – Mandarin Chinese language used in JavaScript comment.\r\nInfrastructure Analysis\r\n•    SilkSpecter’s infrastructure relied on Chinese-hosted Content Delivery Network (CDN) servers to serve images on Black\r\nFriday-themed phishing pages, indicating a preference for resources within China.\r\nhttps://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers\r\nPage 4 of 7\n\n•    Use of oemapps – a Chinese Software as a Service (SaaS) platform – enabled SilkSpecter to create and manage phishing\r\ne-commerce sites. \r\n•    Analysts linked SilkSpecter to over 89 IP addresses and more than 4,000 domain names associated with phishing\r\nactivities.\r\n•    These domains were tied to specific Autonomous System Numbers (ASNs) and domain registrants connected to Chinese\r\ncompanies.\r\nFigure 8 – Use of OEMAPPS library on phishing page. \r\nChinese Domain Registrars \r\nThe most frequently used domain registrar in SilkSpecter’s campaigns is West263 International Limited, a Chinese\r\nregistrar.\r\nOther commonly used registrars include Hong Kong Kouming International Limited, Cloud Yuqu LLC, and Alibaba\r\nCloud.\r\nApproximately 85% of the remaining IP addresses were routed through Cloudflare, allowing SilkSpecter to mask its\r\ntrue origin while benefiting from Cloudflare’s scalable infrastructure.\r\nFigure 9 – Top 10 most used DNS registrar names by SilkSpecter.\r\nFigure 10 – Other Chinese-originated registrar companies amongst phishing domains.\r\nMITRE ATT\u0026CK Analysis with EclecticIQ Intelligence Center\r\nhttps://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers\r\nPage 5 of 7\n\nFigure 11 – MITRE ATT\u0026CK Analysis tool and mapping of TTPs in EclecticIQ Intelligence Center.\r\nCourse of Action\r\nMonitor for Indicators of Black Friday-Themed Phishing Campaigns\r\nURL Patterns: Monitor for URLs with themes like “discount,” “Black Friday,” or similar sales events. Additionally,\r\nlook for the specific path “/homeapi/collect” and domains incorporating “trusttollsvg.”\r\nTargeted IOC List: Utilize IOC shared by EclecticIQ to identify and track SilkSpecter’s phishing domains with\r\nspecific indicators (e.g., “/homeapi/collect” endpoint, Stripe API calls in unverified e-commerce URLs). Flag similar\r\ndomains to alert for further investigation.\r\nMonitor Network Traffic by Suspicious ASN Number Pattern\r\nASN Number Pattern Detection: Set up monitoring rules or alerts for traffic communicating with specific ASNs\r\nlinked to Chinese entities:\r\nASN 24429 - Zhejiang Taobao Network Co., Ltd.\r\nASN 140227 - Hong Kong Communications International Co., Limited \r\nASN 3824 - Cloud Yuqu LLC\r\nASN 139021 - West263 International Limited\r\nASN 45102 - Alibaba US Technology Co., Ltd.\r\nUse these ASNs as a filter criterion in network traffic monitoring tools or SIEM (Security Information and Event\r\nManagement) systems to detect suspicious connections to known Chinese infrastructure associated with SilkSpecter.\r\nMinimizing the Attack Surface with Payment Safeguards\r\nUse Virtual Cards for Safer Online Shopping: Many banks offer virtual cards for online purchases, often with\r\nlimited use or adjustable spending limits. A virtual card number is different from your main card and can be easily\r\ncanceled if compromised.\r\nEnable Spending Limits and Restrictions: Contact your bank to set transaction limits, restrict international\r\npurchases, or require verification for online transactions. Many banks let you manage these settings through their\r\nmobile apps or online banking portal.\r\nIndicator of Compromises (IOCs)\r\nHunting query for SilkSpecter phishing domains in Urlscan, looking for file hashes of reclusively used “trusttollsvg.js,\" and\r\n\"/homeapi/collect.js\":\r\nhash:587b05cd8d59f9820d2cf168b07d46b1519d12ee7a2f7062a2490da0a99ccb50 AND\r\nhash:9a049fe87fe472bd6e2a9f361b78a64576be9f827f9668af69bec03f5cbef0da\r\nBlack Friday Phishing Domains:\r\nnorthfaceblackfriday[.]shop\r\nlidl-blackfriday-eu[.]shop\r\nbbw-blackfriday[.]shop\r\nllbeanblackfridays[.]shop\r\ndopeblackfriday[.]shop\r\nwayfareblackfriday[.]com\r\nhttps://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers\r\nPage 6 of 7\n\nmakitablackfriday[.]shop\r\nblackfriday-shoe[.]top\r\neu-blochdance[.]shop\r\nikea-euonline[.]com\r\ngardena-eu[.]com\r\nReferences\r\n[1]         “Cardholder Data (CHD),” PCI Security Standards Council. Accessed: Nov. 10, 2024. [Online]. Available:\r\nhttps://www.pcisecuritystandards.org/glossary/cardholder-data/ \r\n[2]         “Sensitive Authentication Data (SAD),” PCI Security Standards Council. Accessed: Nov. 10, 2024. [Online].\r\nAvailable: https://www.pcisecuritystandards.org/glossary/sensitive-authentication-data/ \r\n[3]         “Payments.” Accessed: Nov. 10, 2024. [Online]. Available: https://docs.stripe.com/payments \r\n[4]         “首页-全国领先的跨境电商自建独立站SaaS建站系统.” Accessed: Nov. 10, 2024. [Online]. Available:\r\nhttp://oemapps.com/ \r\n[5]         “Search - urlscan.io.” Accessed: Nov. 10, 2024. [Online]. Available:\r\nhttps://urlscan.io/search/#hash%3A587b05cd8d59f9820d2cf168b07d46b1519d12ee7a2f7062a2490da0a99ccb50%20AND%20hash%3A9a049fe87fe472b\r\n[6]         “OpenReplay: Open-Source Session Replay \u0026 Analytics.” Accessed: Nov. 10, 2024. [Online]. Available:\r\nhttps://openreplay.com \r\n[7]         “About TikTok Pixel | TikTok Ads Manager.” Accessed: Nov. 10, 2024. [Online]. Available:\r\nhttps://ads.tiktok.com/help/article/tiktok-pixel \r\n[8]         “Meta pixel: Measure, optimize and retarget ads on Facebook and Instagram,” Meta for Business. Accessed: Nov.\r\n10, 2024. [Online]. Available: https://en-gb.facebook.com/business/tools/meta-pixel \r\nSource: https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers\r\nhttps://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers"
	],
	"report_names": [
		"inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers"
	],
	"threat_actors": [
		{
			"id": "f7341841-19a4-49f6-a728-07478e0c3eb1",
			"created_at": "2024-11-16T02:00:03.813015Z",
			"updated_at": "2026-04-10T02:00:03.772703Z",
			"deleted_at": null,
			"main_name": "SilkSpecter",
			"aliases": [],
			"source_name": "MISPGALAXY:SilkSpecter",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434378,
	"ts_updated_at": 1775791965,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b911c5641f6a9a32628bb3801fb18b314bcbf0b.pdf",
		"text": "https://archive.orkl.eu/6b911c5641f6a9a32628bb3801fb18b314bcbf0b.txt",
		"img": "https://archive.orkl.eu/6b911c5641f6a9a32628bb3801fb18b314bcbf0b.jpg"
	}
}