Two QR-code-based phishing campaigns are analyzed, showing attackers bypass email security by using images of text and QR codes in emails and attachments instead of readable URLs. The campaigns employ layered evasion (redirection, anti-bot checks, CAPTCHA evasion, obfuscation) and target multiple regions with evolving TTPs; recommendations emphasize cautious QR code use and added device protections. #JSJIAMI #QRCodePhishing #comcheck.cloud #ChinaUnionPay #MicrosoftQRCodePhishing #CloudflareAntiBot
Keypoints
- Two QR-code phishing campaigns were identified: one spike in Microsoft account–themed phishing and a long-running China subsidy–themed campaign.
- Emails minimized or eliminated text URLs, relying on embedded QR codes to drive victims to phishing sites.
- Campaign 1 used image-only email bodies and PDFs with QR codes, leveraging trusted and typo-squatted domains to redirect users.
- Campaign 2 persisted since 2022, embedding QR codes and using elaborate evasion layers (JS obfuscation, dynamic JS, and WebSocket endpoints).
- Layered evasion includes CTA URL redirection, Cloudflare anti-bot checks, and CAPTCHA-like evasion to defeat automated tooling.
- Attack infrastructure shifts toward WebSocket–based communication and randomized JavaScript filenames, complicating network-based detection.
- Regions affected span the US, China, and multiple other countries; Trellix released a QR code phishing detection module to help identify such campaigns.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing via QR-based lure – The subject advises urgent action on 2FA; “The subject of the emails advised the receiver to urgently take action regarding multi-factor authentication (e.g., ‘2FA (Two Factor Authentication) Security Update’).”
- [T1071.001] Web Protocols – Web-based redirection and CTAs – “Landing Pages were often hosted on newly created Domains.”
- [T1113] Screen Capture – Data exfiltration via screenshots to the C2 channel – The function “SendscreenImg() captures a screenshot … and sends it over the WebSocket connection.”
- [T1059.007] JavaScript – Script loading and execution – “Jump.js is loaded first, followed by getCookie.js and jsconfig.js.”
- [T1027] Obfuscated/Compressed Files or Information – CTA URL Page obfuscated by jsjiami.com; “the CTA URL Page … obfuscated by jsjiami[.com], a popular tool in mainland China.”
- [T1562.001] Impair Defenses – Anti-Bot and CAPTCHA evasion – “Cloudflare Anti-Bot Mechanism Check” and CAPTCHA evasion described in layers.
- [T1041] Exfiltration to C2 Channel – Data sent via WebSocket (remote.js) to attacker domain – “The main purpose of this script is to send snapshots/images and mouse interaction data to the server via WS (WebSocket Secure Protocol).”
Indicators of Compromise
- [IP Address] – 49[.]64[.]71[.]178 – used in email headers; associated with ChinaNet’s ISP (AS 4134) and Foxmail client.
- [Domain] – comcheck[.]cloud – subdomains used for targeted entities; and cloudflare-ipfs[.]com – redirection/anti-bot evasion.
- [Domain] – bing[.]com – trusted domain leveraged in campaigns; [Domain] – mcwrssoft[.]co and logln-0nline-nnicrosoift3[.]com – typo-squatted domains observed.
- [URL] – hxxps://list-manage[.]agle1[.]cc/click?u=hxxps://x4pbzj.calasavacj[.]com/[email protected]
- [URL] – hxxp://a[.]insgly[.]net/api/trk?id=emailclick&i=552341&eid=122755810&url=hxxp://0831ww367[.]top/cgi-bin/cgi-bin/8d78rwe87sn.php#[email protected]
- [URL] – hxxps://circletools[.]co/r/?l=hxxps://euromarktn[.]com/[email protected]
- [URL] – hxxp://weblaunch[.]blifax[.]com/listener3/redirect?l=8b8da724-1be2-4ea1-9170-472868aee34a&id=981fd86e-03ab-e311-bd25-000c29ac9535&u=hxxps://x4pbzj.calasavacj[.]com/[email protected]
- [URL] – hxxps://cloudflare-ipfs[.]com/ipfs/bafybeidw3tubxbzjulpdvf5epjaxamfryuvnd2wnfwvadqnvlggg6pvsna/zoomeme.html#
- [URL] – hxxps://S-oil[.]comcheck[.]cloud/TMVK50AUA3VDLLC/dXNlckBleGFtcGxlLmNvbQ==
- [SHA256] – 864188a17073f050d6b14cdd8a354464a4577cbd7face29b1e6b1ef706669732
- [SHA256] – b640239477b8a8fa3c51e000cceb16c17ff447b5217a8d12d9a2cbe550f04a37
- [SHA256] – f4b66ff6550f346edc2cca48bc310e01204bc0d15579b35cd011722d198106bf
- [SHA256] – bd0e64fa73f2577fe84f8d7506f83f3be4262a4d40f4428ebe93973aa366c29c