{
	"id": "81f9c244-c848-49c9-bc3f-551b9b42b181",
	"created_at": "2026-04-06T00:21:49.19528Z",
	"updated_at": "2026-04-10T13:11:39.563831Z",
	"deleted_at": null,
	"sha1_hash": "b0ebddfeaf2e956a50620200d6f6d89c50092827",
	"title": "Unusual Exploit Kit Targets Chinese Users (Part 1) | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1323782,
	"plain_text": "Unusual Exploit Kit Targets Chinese Users (Part 1) | Malwarebytes\r\nLabs\r\nBy Jérôme Segura\r\nPublished: 2015-05-27 · Archived: 2026-04-05 13:45:36 UTC\r\nWe are very accustomed to seeing the same exploit kits over and over. Angler EK, Nuclear EK or Fiesta EK all\r\nhave become familiar faces on this blog.\r\nToday, we are looking at an exploit kit that we have not seen before. Contrary to its counterparts, it is not used on\r\nmainstream websites or via malvertising attacks but rather it specifically targets Chinese websites and users.\r\nThe point of entry is hidden within compromised Chinese websites which have been injected with a malicious\r\niframe. Simply browsing to any of these pages will trigger the drive-by download attack onto vulnerable systems.\r\nAs with other exploit kits, this one fingerprints potential victims and fires the appropriate exploits, except with one\r\ndifference in that it checks for the presence of a popular Chinese antivirus product before committing itself.\r\nThe exploit toolkit was found on at least two different servers, one located in Malaysia and the other in Singapore.\r\nThey also host the malware binaries delivered via HTTP or FTP depending on the exploitation technique.\r\nIn this two-part blog series, we will describe the methods used by the attackers to draw victims and compromise\r\nthem via multiple exploits and scripts before infecting them with malware payloads.\r\nExploit Kit Analysis\r\nThere are multiple aspects to this attack, starting with the compromise of an unknown number of Chinese websites\r\nwith a malicious iframe pointing directly to the exploit kit.\r\nThe kit itself validates the user before exploiting one or more browser plugins. As far as we could tell, only\r\nexisting and already patched vulnerabilities are used in this attack.\r\nInfection vector\r\nWe discovered the initial infection vector on a compromised Chinese website that contained a specific iframe:\r\nhttps://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nPage 1 of 13\n\nWebsite security firm Sucuri also identified additional ones (here and there) via their SiteCheck service:\r\nThe malicious iframe points to a JavaScript file hosted on the root of a server who’s IP address is located in\r\nMalaysia:\r\nThe same URL also exists on a server in Singapore: 202.172.54.119/jquery.min.js\r\nhttps://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nPage 2 of 13\n\nIt’s worth noting that the name the malware authors picked (jquery.min.js) is the name of a legitimate library\r\ncalled jQuery. It is common for websites to reference third party URLs to load external APIs and libraries.\r\nHowever, in this case the file has nothing to do with jQuery and instead is an exploit kit landing page.\r\nExploit kit overview\r\nExploit kit servers\r\nIP records (courtesy of Robtex):\r\nAs is the case with most exploit kits, this one contains the same primary elements:\r\nA landing page\r\nVarious exploits\r\nMalware payloads\r\nTraffic and URL structure (Fiddler capture)\r\nSurprisingly, none of the code base is encrypted. Most modern (if not all) exploit kits heavily encode their scripts\r\nto prevent easy reverse engineering but this one doesn’t.\r\nLanding page\r\nThe code for the landing page is quite straightforward and does the typical ‘fingerprinting’ calls to determine\r\nwhat the victim is running.\r\nBrowser detection\r\nhttps://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nPage 3 of 13\n\nJava detection in Internet Explorer\r\nhttps://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nPage 4 of 13\n\nJava detection in Firefox\r\nhttps://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nPage 5 of 13\n\nFlash Player detection\r\nSilverlight detection\r\nAnti AV detection\r\nUsing the XMLDOM exploit (CVE ), the landing page looks for the presence of Qihoo 360 Total Security:\r\nhttps://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nPage 6 of 13\n\nQihoo 360 Technology is a very large Chinese Internet company boasting close to 500 million active users. The\r\nexploit kit will not continue with its payload if it detects the user is running the Qihoo antivirus.\r\nExploit files\r\nWe noticed three different types of files that tried to download the final payload:\r\nJava exploits (CVE-2011-3544 and CVE-2012-4681)\r\nInternet Explorer exploit (CVE-2014-6332)\r\nFlash exploit (CVE-2015-0311 thanks @ropchain)\r\nJava exploits\r\nThe Java applets (VacnaHohoyg4.jar, kflrtGp.jar) are called via sub pages:\r\n \r\nCVE-2011-3544\r\nhttps://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nPage 7 of 13\n\nCVE-2012-4681\r\nOnce again, the applets are not even encrypted and we can clearly see the call to the malware binary which it\r\nretrieves from the same server. They made a bit of effort to disguise the file name pretending it is a “.jpg“\r\nhttps://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nPage 8 of 13\n\nMalwarebytes Anti-Exploit blocks this exploit:\r\nInternet Explorer (CVE-2014-6332)\r\nThere is heavy use of multiple VBS scripts in this exploit kit. One that stroke our attention used Wscript to\r\ndownload a malware binary from the server, but, strangely, via FTP:\r\nMalwarebytes Anti-Exploit blocks this exploit:\r\nhttps://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nPage 9 of 13\n\nEven more bizarre (and careless) is the presence of the FTP script containing the username and password, in\r\nclear text:\r\nFlash exploit\r\nFile: kTjAhKzI.swf\r\nhttps://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nPage 10 of 13\n\nMalwarebytes Anti-Exploit blocks this exploit:\r\nhttps://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nPage 11 of 13\n\nMalware files\r\nimage.png (MD5: 55c447191d9566c7442e25c4caf0d2fe)\r\npic.jpg (MD5: 4e8639378d7a302c7474b5e4406dd7b4)\r\nnotepad.exe (MD5: 5a454c795eccf94bf6213fcc4ee65e6d)\r\nIn a follow-up blog post, we will analyze the malware drops and in particular what their purpose is.\r\nConclusion (Part 1)\r\nThe author(s) of this exploit kit did not really invest much effort into hiding their code or even their own\r\ncredentials, blunders that professionals would not make.\r\nThe kit is hosted directly on fairly unsecure servers located (as far as we know) in the Asia Pacific region. Other\r\nAsian exploit kits come to mind (Gondad and CK VIP EK) but those two were more sophisticated than this one,\r\nalthough it is possible that the author got inspired by them.\r\nThe exploit code is fairly straightforward and mostly aimed at older computers (with the exception of the Flash\r\nexploit). But considering the targeted users, this might not be a problem.\r\nAccording to data from Zhongguancun Online, the vast majority of Chinese PC users, roughly 200 million, or 70\r\npercent, are running Windows XP. A quote from that Reuters article is particularly interesting: “Qihoo 360 will\r\ncontinue to provide Windows XP support to Chinese users as long as there are still XP users in China.“\r\nThis makes sense with the authors of this exploit kit deciding to detect the presence of the Qihoo antivirus and\r\navoiding it. There would still be a large number of users running vulnerable computers with little to no protection\r\nat all.\r\nhttps://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nPage 12 of 13\n\nStay tuned for the follow-up to this story where we dig into the actual purpose of this exploit kit, since it really\r\nonly is the vehicle for the bad guys’ objective: compromising end-user systems.\r\nSource: https://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nhttps://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1"
	],
	"report_names": [
		"unusual-exploit-kit-targets-chinese-users-part-1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434909,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b0ebddfeaf2e956a50620200d6f6d89c50092827.pdf",
		"text": "https://archive.orkl.eu/b0ebddfeaf2e956a50620200d6f6d89c50092827.txt",
		"img": "https://archive.orkl.eu/b0ebddfeaf2e956a50620200d6f6d89c50092827.jpg"
	}
}