EXECUTIVE SUMMARY
Recent phishing operations across East and Southeast Asia use multilingual ZIP file lures and shared web templates to target government and financial groups. The campaigns reuse the same page designs, file names, and small server scripts to trick users into downloading archives labeled as tax, payroll, or official notices. Clusters were found in three language sets – Chinese, English, and Japanese – showing the same page titles and download logic reused across sites. The setups often log visitors and only show download links when a server response contains a valid file, which helps the operators control what victims see.
The code used on these pages commonly calls two simple scripts: one that logs visitor details and another that serves a forced download. Pages hide the download link until the server confirms a matching archive, then reveal a ZIP or RAR file with a baiting name. Identical HTML titles and repeated button text appear in multiple languages, and many hosts share similar server setups and SSL fingerprints, suggesting the same tool or builder is being reused. Filenames focus on bureaucratic and financial themes, so recipients are likelier to click.
The sites are short lived but easy to spin up again, making the operation scalable and quick to replace after takedown. The evidence points to a single, simple phishing kit used to run many small campaigns across different languages and places. By reusing templates, scripts, and file-name themes, the operators can quickly make lures for different audiences while keeping control over downloads. Blocking known domains, flagging requests to the common script endpoints, and filtering archives with tax or payroll-like names will cut down exposure. The campaign is a clear example of reuse and automation rather than many unrelated actors doing similar tricks.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Reconnaissance | T1592 | Gather Victim Identity Information | – |
| Reconnaissance | T1593 | Search Open Websites/Domains | – |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Resource Development | T1584.001 | Compromise Infrastructure | Web Services |
| Initial Access | T1190 | Exploit Public-Facing Application | – |
| Execution | T1203 | Exploitation for Client Execution | – |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | – |
| Defense Evasion | T1027 | Obfuscated Files or Information | – |
| Collection | T1113 | Screen Capture | – |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1102 | Web Service | – |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/threat-actors-using-multilingual-zip-file/
https://hunt.io/blog/multilingual-zip-phishing-campaigns-asia-financial-government