Threat Research

From San Pedro to Salinas: How a Chinese Framework “DCloud Uni-App” Powers a Global Scam Economy

Infoblox
A large investigation shows that RainbowEx was only one example of a much bigger scam ecosystem built on the DCloud Uni-App framework, with more than 236,493 fraudulent second-level domains tied to fake exchanges, wallet drainers, phishing pages, and investment scams. The report links this infrastructure to operations such as Lightning Shared Scooter Co. (LSSC), Yuechi Sharing Technology Ltd. (YST), XAEL-AI, and CTG Server, and shows how scam operators use legitimate hosting, bulletproof hosting, and real registration paperwork to appear credible. #RainbowEx #DCloud #LightningSharedScooterCo #YuechiSharingTechnologyLtd #XAELAI #CTGServer

Keypoints

  • RainbowEx in San Pedro, Argentina was exposed as a coordinated crypto scam that affected about 20% of the town’s population, including police and city council members.
  • The scam’s interface and registration flow were built on the DCloud Uni-App framework, showing that RainbowEx used a reusable template rather than bespoke fraud infrastructure.
  • Infoblox identified 236,493 distinct second-level domains tied to DCloud-based scam activity, spanning fake exchanges, pig-butchering, WhatsApp phishing, gambling impersonations, and wallet drainers.
  • After the RainbowEx story became public in October 2024, new DCloud-fingerprinted scam site creation surged sharply, peaking at roughly 15,000 new sites per month.
  • Two major real-world scam operations, Lightning Shared Scooter Co. (LSSC) and Yuechi Sharing Technology Ltd. (YST), used the same DCloud-based investment scam playbook, including invite-code registration, fake trading dashboards, and off-platform chat handlers.
  • YST added a legitimacy layer by displaying real Hong Kong and FinCEN registrations, while FinCEN explicitly warns that registration does not prove legitimacy and can be abused by fraudsters.
  • Most DCloud scam infrastructure relies on mainstream providers like Cloudflare, Alibaba Cloud, Tencent Cloud, and AWS, but a smaller, more evasive segment is heavily concentrated on CTG Server and other bulletproof hosting providers.

MITRE Techniques

  • [T1189 ] Drive-by Compromise – Victims were lured to scam websites and apps built on DCloud, where the malicious behavior was embedded in the delivered web/mobile experience (‘the exchange, the registration flow, the trading dashboard, and the Telegram-driven price calls, were all built using… DCloud Uni-App’).
  • [T1566.002 ] Phishing: Spearphishing Link – Scam operators used links shared through WhatsApp, Telegram, social media, and messaging to send victims to fraudulent pages (‘most likely after receiving a link via WhatsApp, Telegram, social media, or messaging’).
  • [T1608.001 ] Stage Capabilities: Upload Malware – Not directly malware, but the report describes operators deploying reusable scam templates and apps across domains and mobile apps (‘rapid-deployment template repurposed across operators’).
  • [T1185 ] Browser Session Hijacking / Credential Capture via Fake Login – Scam pages used simple login and registration forms to collect credentials and user details (‘simple login and registration pages with a stock background photo’).
  • [T1056.001 ] Keylogging / Input Capture: Keylogging – The fraudulent registration and login forms captured phone numbers, passwords, CAPTCHA entries, SMS codes, and invitation codes (‘requiring: a phone number, password, a graphic CAPTCHA, an SMS verification code, and an invitation code’).
  • [T1651 ] Cloud Service Dashboard – Attackers relied on major cloud and hosting providers to host scam infrastructure at scale (‘Cloudflare, Alibaba Cloud, Tencent Cloud, and Amazon Web Services’).
  • [T1583.001 ] Acquire Infrastructure: Domains – Large numbers of scam domains were registered and operated as part of the fraud ecosystem (‘over 236,000 distinct second-level domains’).
  • [T1584.001 ] Compromise Infrastructure: Web Services – Scam operators used legitimate-looking web services and hosted frontends to conceal fraud (‘brand-impersonation storefronts’, ‘fake brokerage interfaces’).

Indicators of Compromise

  • [Domains ] Core scam and infrastructure domains – rainbowex[.]cc, ystl03106[.]top, and 2 more items
  • [Domains ] Scam family and phishing domains – lsscapp[.]com, lightacer[.]com, and 2 more items
  • [Domains ] Wallet drainer and impersonation domains – bepviews[.]com, nasdaqpro[.]top, and 1 more item
  • [Domains ] WhatsApp and messaging phishing domains – whats-zwp[.]vip, faq-whatsapp-center[.]com, and 7 more items
  • [Domains ] XAEL-AI scam domains – xaai3xj[.]com, xaaitbb[.]com
  • [Domains ] Additional scam domains from the ecosystem – allegro-stroe[.]com, usdtflow[.]net, and 16 more items
  • [Infrastructure / ASN ] Bulletproof hosting provider linked to scam infrastructure – CTG Server Limited (AS152194), myctgs[.]com
  • [Organizations / Registrations ] Legitimate-looking legitimacy props used by YST – Hong Kong Certificate of Incorporation No. 77975280, FinCEN MSB Registration No. 31000300306222
  • [Platforms / Services ] Hosting and delivery platforms commonly used across the ecosystem – Cloudflare, Alibaba Cloud, Tencent Cloud, Amazon Web Services

Read more: https://www.infoblox.com/blog/threat-intelligence/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint