GreenSpot APT phishing campaigns with fake 163.com login analysis

 

Summary

From the Hunt.io blog, I noted that GreenSpot APT phishing campaigns quickly traced the event and downloaded the files to do simple checking.

 

Technical analysis

 

Until 2025.2.13, the following sites are still accessible.

The fake site hxxp[:]//mail.eco163[.]com/ jumps to hxxps[:]//www.kaola[.]com/ when entering a username.

About both hxxps[:]//l2024163[.]com/ and hxxps[:]//chamber.icu/,

Potential victims are prompted to enter the username and password twice to download the file. The first try always triggers an error message; its motivation is to let 163[.]com users confirm password accuracy, so the fake sites try to steal valid user credentials.

Figure1- Download Large Attachments

Figure2- Fake login

 

To check The attachments out, not finding “VBA Macros” embedded, is high confidence to ensure those without any malicious behavior. It seems that GreenSpot is focused on stealing user credentials, not directly doing harm to the user of the client machine. The motivation and tactics of GreenSpot are very clear, smart, and professional. But it does not mean that those attachments are not harmful in the future, because it changes and updates them so easily.

Figure3-VBA Macros No

 

IOCs

Network:

hxxp[:]//mail.eco163[.]com/

hxxps[:]//l2024163[.]com/

hxxps[:]//chamber.icu/

Files:

f205b862f6e72b5eaf303de4c6c61df1

cd5f033a40b739f2e7ab5b4ffbfeea72

Conclusion

From the above analysis, GreenSpot APT phishing campaigns focused on stealing 163[.]com user credentials with no malicious attachments, but that does not mean in the future it will still be dangerous.

End.

Support My Work:

**If you found this report helpful, consider supporting my work by buying me a coffee!** Your contribution helps me dedicate more time to malware analysis and creating free resources for the cybersecurity community.  

![Alipay QR Code] 支付宝

*I am deeply grateful from the bottom of my heart!*