{ "id": "e77dc635-70be-4fdc-bfdc-de993af77dad", "created_at": "2026-04-06T00:10:50.498828Z", "updated_at": "2026-04-10T03:32:46.107534Z", "deleted_at": null, "sha1_hash": "f55ecb9f75f3f5085a76148ceda9d96db5818c97", "title": "GreenSpot APT Targets NetEase 163.com Users with Fake Download Pages \u0026 Spoofed Domains", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2674690, "plain_text": "GreenSpot APT Targets NetEase 163.com Users with Fake\r\nDownload Pages \u0026 Spoofed Domains\r\nPublished: 2025-02-04 · Archived: 2026-04-05 18:33:39 UTC\r\nTABLE OF CONTENTS\r\nInfrastructure AnalysisImpact and RelevanceConclusionNetwork Observables and Indicators of Compromise\r\n(IOCs)\r\nNamed by Antiy Labs in 2018, the GreenSpot Advanced Persistent Threat (APT) group is believed to operate from\r\nTaiwan and has been active since at least 2007. Known for data theft operations, the group targets government,\r\nacademic, and military-related entities primarily in China through phishing campaigns.\r\n163.com, a free email service operated by NetEase-one of China's largest IT companies-has become a frequent\r\ntarget for GreenSpot, with the primary objective of stealing login credentials.\r\nHunt.io researchers observed domains registered within hours of each other, designed to mimic legitimate\r\n163.com services. One such domain hosts a malicious login page, while further analysis of similar domains\r\nrevealed fake download pages aimed at capturing usernames and passwords. Patterns in hosting providers, the\r\nimpersonation of NetEase services, and domain naming conventions-combined with overlaps in public\r\nreporting-strongly suggest that this phishing infrastructure is linked to the group.\r\nAlthough this recent campaign is confined to a specific region, it reminds us that even free email services can be\r\ntargeted by advanced threat actors.\r\nInfrastructure Analysis\r\nOur research began with two domains registered within hours of each other via the reseller SugarHosts. Acquiring\r\ndomains through a reseller minimizes the risk of direct interaction with major registrars, thereby reducing links\r\nback to the group. These domains serve as part of the threat actor's malicious infrastructure, both resolving to\r\n139.162.62[.]21 :\r\nmail[.]ll63[.]net (using the letter \"L\")\r\nmail.eco163[.]com\r\nhttps://hunt.io/blog/greenspot-apt-targets-163com-fake-downloads-spoofing\r\nPage 1 of 7\n\nFigure 1: Screenshot of Whois results for eco163[.]com\r\nFigure 2: Whois results for ll63[.]net\r\nQuerying the IP in Hunt shows the server is hosted on the Akamai Connected Cloud network in Singapore, with\r\nports 22 and 80 open. Of note, port 80 responds with a non-standard HTTP status code of 588. While this code is\r\nhttps://hunt.io/blog/greenspot-apt-targets-163com-fake-downloads-spoofing\r\nPage 2 of 7\n\nnot recognized by IANA, Alibaba Cloud uses it for \"Exceeded_Quota\" errors-suggesting either a custom response\r\nor proprietary configuration is in use.\r\nFigure 3: Port history overview for the suspicious IP in Hunt.\r\nThe domains are crafted to impersonate the 163.com mail service. While mail[.]ll63[.]net displays a blank web\r\npage, mail[.]eco163[.]com presents a login page closely mirroring the legitimate login interface.\r\nFigure 4: Spoofed domain at mail[.]eco163[.]com hosting suspicious login page.\r\nhttps://hunt.io/blog/greenspot-apt-targets-163com-fake-downloads-spoofing\r\nPage 3 of 7\n\nFigure 5: Legitimate login page at mail[.]163[.]com\r\nUpon submitting user credentials, JavaScript code is executed on the 163nailaiba.php page, which dynamically\r\nconstructs a redirection link based on the URL's domain and displays a 404 page. The script is configured to detect\r\nspecific domains, including:\r\nvip[.]163[.]com\r\nvip[.]126[.]com\r\nvip[.]188[.]com\r\nmail[.]yeah[.]net\r\nIf one of the above domains is not detected, the user is redirected to the legitimate email login page. Although we\r\nhave not observed any evidence of credentials being exfiltrated at this time, the script could easily be modified to\r\nredirect users to another domain under their control.\r\nMalicious Download Service\r\nExpanding our search for domains using Hunt's \"New Hostnames Found on SSL Certs\" feed, we identified several\r\nsuspicious web pages posing as large attachment download services for 163[.]com. These pages-likely distributed\r\nvia phishing emails-initiate a countdown timer upon visit, pressuring users to enter their credentials to access the\r\ndocument. We found that even after the time expired, the decoy files, none of which are detected as malicious\r\nremain available for download.\r\nhttps://hunt.io/blog/greenspot-apt-targets-163com-fake-downloads-spoofing\r\nPage 4 of 7\n\nFigure 6: Example \"large attachment download\" page serving benign files.\r\nThe file names, translated from Chinese, include:\r\n\"Guide to Maritime Administrative Services and Application Documents.7z\"\r\n\"Highlights of Inspections.docx\"\r\n\"Summary of the Situation of Persons Applying for Allocation of Adjusted Apartment Housing.xlsx\"\r\nIn addition to domains featuring \"163\" in their names, the hosted page is titled \"网易邮箱超大附件下载\"\r\n(translated as \"Download Large Attachments for Netease Mailbox\"). Using this title as part of our search query,\r\nwe uncovered a small cluster of servers employing a mix of self-signed TLS certificates with the common\r\nname \"localhost\" and Let's Encrypt certificates using the domain as the common name. It appears that the\r\n\"localhost\" certificates are deployed when servers are inactive, switching to Let's Encrypt during active attack\r\nperiods.\r\nPotential victims are prompted to enter their 163[.]com username and password to download the file. The first try\r\ntriggers an error message-likely an attempt to confirm password accuracy. A POST request to login.js is sent on\r\nthe second attempt, which captures the entered credentials, saving them via a PHP script named \"saveData.php.\" A\r\nsimple confirmation message, \"The data was successfully saved to a file,\" is displayed upon accessing the script\r\ndirectly.\r\nhttps://hunt.io/blog/greenspot-apt-targets-163com-fake-downloads-spoofing\r\nPage 5 of 7\n\nFigure 7: Example of extracted credentials after attempting to access a benign file.\r\nImpact and Relevance\r\nAlthough this campaign targets 163.com, its implications extend beyond a single service or region. GreenSpot's\r\ntechniques-using deceptive domains, manipulated TLS certificates, and counterfeit interfaces-demonstrate\r\na threat actor adept at compromising online platforms. While free email services are designed for ease of\r\naccess, they often rely on users to activate enhanced security features like multi-factor authentication. Without\r\nthese protections, users remain at risk of credential theft, potentially exposing sensitive communications and\r\npersonal data.\r\nConclusion\r\nGreenSpot's tactics underscore the sophistication of modern credential theft operations. Our investigation reveals\r\nthat deceptive domains manipulated TLS certificates, and spoofed login interfaces are used to harvest credentials\r\nfrom 163.com users. Detection efforts should concentrate on identifying irregular domain registrations, certificate\r\nanomalies, and unusual HTTP responses.\r\nOrganizations and individuals are advised to enable multi-factor authentication, bolster network monitoring, and\r\nensure threat intelligence feeds are current. These proactive measures are essential for mitigating risks from\r\nadversaries like GreenSpot.\r\nNetwork Observables and Indicators of Compromise (IOCs)\r\nIP Address Domains Notes\r\n139.162.62[.]21\r\nmail[.]ll63[.]net\r\nmail[.]eco163[.]com\r\nHosted on an open directory at\r\n152.32.138[.]108\r\nhttps://hunt.io/blog/greenspot-apt-targets-163com-fake-downloads-spoofing\r\nPage 6 of 7\n\nIP Address Domains Notes\r\n45.76.180[.]253 l2024163[.]com\r\nMalicious download page hosting \"Guide to\r\nMaritime Administrative Services and\r\nApplication Documents.7z\"\r\n207.148.124[.]130 superset[.]greeninvietnam[.]org[.]vn\r\nDownload page hosting \"Highlights of\r\nInspections.docx\"\r\n198.13.56[.]201 chamber[.]icu\r\nDownload page hosting \"Summary of the\r\nSituation of Persons Applying for Allocation of\r\nAdjusted Apartment Housing.xlsx\"\r\nSource: https://hunt.io/blog/greenspot-apt-targets-163com-fake-downloads-spoofing\r\nhttps://hunt.io/blog/greenspot-apt-targets-163com-fake-downloads-spoofing\r\nPage 7 of 7\n\nFigure 2: Whois Querying the IP results for ll63[.]net in Hunt shows the server is hosted on the Akamai Connected Cloud network in Singapore, with\nports 22 and 80 open. Of note, port 80 responds with a non-standard HTTP status code of 588. While this code is\n Page 2 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://hunt.io/blog/greenspot-apt-targets-163com-fake-downloads-spoofing" ], "report_names": [ "greenspot-apt-targets-163com-fake-downloads-spoofing" ], "threat_actors": [ { "id": "b9695d1c-08bf-4cb9-b408-f9275bbe47e7", "created_at": "2025-03-07T02:00:03.802302Z", "updated_at": "2026-04-10T02:00:03.83211Z", "deleted_at": null, "main_name": "GreenSpot", "aliases": [ "PoisonVine", "APT-Q-20" ], "source_name": "MISPGALAXY:GreenSpot", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434250, "ts_updated_at": 1775791966, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f55ecb9f75f3f5085a76148ceda9d96db5818c97.pdf", "text": "https://archive.orkl.eu/f55ecb9f75f3f5085a76148ceda9d96db5818c97.txt", "img": "https://archive.orkl.eu/f55ecb9f75f3f5085a76148ceda9d96db5818c97.jpg" } }