EXECUTIVE SUMMARY
Primarily Chinese threat actors are exploiting the legitimate DCloud Uni-App development framework to power a massive global scam economy. These operators have deployed over 236,000 fraudulent domains targeting victims across multiple continents and languages, including English, Spanish, and Portuguese. The campaigns typically manifest as fake cryptocurrency exchanges, "pig-butchering" investment schemes, and fraudulent gambling platforms. The ultimate goal is financial theft, where victims are manipulated into depositing funds into accounts that display fictitious trading activity or returns before withdrawals are permanently blocked.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Primarily Chinese threat actors are exploiting the legitimate DCloud Uni-App development framework to power a massive global scam economy. These operators have deployed over 236,000 fraudulent domains targeting victims across multiple continents and languages, including English, Spanish, and Portuguese. The campaigns typically manifest as fake cryptocurrency exchanges, "pig-butchering" investment schemes, and fraudulent gambling platforms. The ultimate goal is financial theft, where victims are manipulated into depositing funds into accounts that display fictitious trading activity or returns before withdrawals are permanently blocked.[emaillocker id="1283"]
Attackers use the DCloud framework as a template to quickly build professional-looking websites that mimic legitimate financial services or trading platforms. Instead of traditional malware infection, the attack relies on social engineering to drive traffic to these domains, often via messaging apps or fraudulent referrals. Once a victim registers and deposits funds, the interface displays fake market data to simulate gains. The threat actors maintain control through backend administrative panels that manipulate balances and prevent withdrawals, eventually draining assets through cryptocurrency transfers or wallet-draining mechanisms.
This threat poses significant risks because the sheer volume of domains makes traditional blocklist-based defenses insufficient, while the use of legitimate development tools helps attackers evade detection. The scams often target individuals rather than enterprise networks directly, bypassing standard corporate security filters. Organisations should implement DNS-level protection to block access to known malicious infrastructure and conduct awareness training focused on consumer fraud patterns rather than standard phishing. Additionally, leadership must understand that government registrations or official-looking paperwork presented by these operations do not constitute vetting or legitimacy.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Resource Development | T1583.004 | Acquire Infrastructure | Server |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Defense Evasion | T1027.005 | Obfuscated Files or Information | Indicator Removal from Tools |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Collection | T1530 | Data from Cloud Storage | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2026/06/236000-dcloud-uni-app-sites-used-in.html
https://www.infoblox.com/blog/threat-intelligence/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy/