22 Disposable Domains, One Subsidy-Fraud Backend: A CTG Server /24 in Hong Kong Runs a Chinese 企业补贴 Scam, a Core DAO Crypto Impersonation, and a Matching Operator Chat App
22 Disposable Domains, One Subsidy-Fraud Backend: A CTG Server /24 in Hong Kong Runs a Chinese 企业补贴 Scam, a Core DAO Crypto Impersonation, and a Matching Operator Chat App
TL;DR
Another pivot off yesterday's Silver Fox / ValleyRAT investigation led to 118.107.43.65 — a Windows server in the 118.107.43.0/24 netblock owned by CTG Server Ltd / RACKIP Consultancy Pte Ltd (AS152194, Hong Kong), the same bulletproof hoster that came up repeatedly in yesterday's Silver Fox work. Pulling on the thread revealed that the /24 isn't just running one Silver Fox C2 — it's running a multi-vertical Chinese-language cybercrime hosting cluster, and one operator's fingerprints are all over it.
118.107.43.65 alone hosted 22 disposable apex domains over a 30-day window from July 15 to August 14, 2025, all serving the same Chinese-language admin panel titled 后台管理系统 ("Backend Management System"). The domains cycled in and out roughly every 1–3 days during peak activity. One of the 22 — www.uierot.com — served the victim-facing side: a 企业补贴 ("Enterprise Subsidies") fraud lure targeting Chinese businesses and individuals looking for government subsidy programs.
What this report adds to the public record:
- Full inventory of the 22 disposable domains on
118.107.43.65, their registration pattern (Gname.com Pte Ltd + share-dns.com/net nameservers), and their consistent three-subdomain architecture (www.victim-facing,api.PHP backend, random-prefix operator panel) - Identification of the victim-facing
企业补贴subsidy-fraud lure atwww.uierot.comand the matching backend operator dashboards running Vue.js 3 + Element Plus + FingerprintJS on both sides (for tracking victims and operators) - Subnet-wide map of the
118.107.43.0/24cluster showing that the same actor or organization appears to be running parallel cybercrime verticals — acoredao.netCore DAO cryptocurrency-project impersonation, a gambling subcluster across.com/.vipnumeric domains, atongxinsq.com(通信社区 — "Communication Community") chat platform likely used as the operator's internal comms channel, and an Elasticsearch + MinIO + RabbitMQ + Redis backend tier - Confirmation that CVE-2020-0796 (SMBGhost) and several other critical vulnerabilities remain unpatched across the Windows hosts in the /24, offering takedown / disruption leverage for enforcement partners
Hat tip to the yesterday-GHOST-investigation SilverFox pivot chain for surfacing this /24 during the Silver Fox campaign mapping. If you've already published reporting on this 118.107.43.0/24 cluster, the 后台管理系统 / 企业补贴 scam kit, the coredao.net Core DAO impersonation, or the Gname.com + share-dns registration pattern covered here, please reply or DM — we'll update and credit.
The Target Host
| Field | Value |
|---|---|
| IP | 118.107.43.65 |
| ASN | AS152194 (CTG Server Limited) + AS64050 (RACKIP) |
| Hosting | CTG Server Ltd / RACKIP Consultancy Pte Ltd |
| Address on file | 202, 2/F Kam Sang Bldg, 257 Des Voeux Rd Central, Hong Kong |
| WHOIS range | 118.107.40.0 - 118.107.47.255 (CTG107-40-HK) |
| OS | Microsoft Windows |
| Current open ports | 139/tcp (NetBIOS-SSN) |
| Historical web services | nginx on 80/443 (July-August 2025, now offline) |
| First observed | 2025-07-16 (URLScan) |
| Abuse contacts | cs.mail@ctgserver.com, abuse@rackip.com |
The web services were torn down after the August 2025 rotation window ended — what's left is the NetBIOS port keeping the Windows base OS visible but not serving content directly. The operator kept the box alive and rotated the scam infrastructure to new hosts elsewhere in the cluster. This is consistent with how this kind of operation typically manages burn cycles: the machine stays provisioned, the domains rotate, the content moves.
The 22 Disposable Domains
Between 2025-07-16 and 2025-08-14, URLScan captured the same Chinese-language page title 后台管理系统 ("Backend Management System") on 22 different apex domains, all resolving to 118.107.43.65:
The .com run (July 15–30)
j7.tdbfoi.com 2025-07-16 first observed
d3.iytegfc.com 2025-07-16
s2.hibnec.com 2025-07-16
f4.iebgts.com 2025-07-16
g5.opbger.com 2025-07-16
d3.iehtdf.com 2025-07-17
www.uierot.com 2025-07-20 ← VICTIM-FACING: "企业补贴" (Enterprise Subsidies)
aa.fdjfljx.com 2025-07-21
gg.dfjelr.com 2025-07-21
g5.dflkjel.com 2025-07-24
s2.idhfbt.com 2025-07-24
hh.brterxc.com 2025-07-30
ff.oredft.com 2025-07-31
The .cyou run (July 31 onward — cheaper TLD, fewer abuse takedowns)
g5.uifetdc.cyou 2025-07-31
tt.ifhertx.cyou 2025-07-31
ff.hbiuer.cyou 2025-08-01
de.tierefd.cyou 2025-08-02
sss.bgrete.cyou 2025-08-04
a1y.diferd.cyou 2025-08-08
der.edisdj.cyou 2025-08-10
df.biredes.cyou 2025-08-13
gh.rduehx.cyou 2025-08-14 last observed
The switch from .com to .cyou is meaningful: .cyou is materially cheaper, has weaker abuse response from the registry, and is the documented Chinese cybercrime TLD of choice (see also today's Luo Quan Silver Fox post which covers 288 .cyou domains on a related operator). The operator is cost-optimizing mid-campaign.
All 22 domains share the same registration signature:
| Attribute | Value |
|---|---|
| Registrar | Gname.com Pte. Ltd. (Singapore, IANA ID 1923) |
| Nameservers | a[N].share-dns.com / b[N].share-dns.net (Gname's own DNS) |
| Registration window | 2025-07-15 → 2025-08-14 (30-day burst) |
| Domain style | Random 5–7 character gibberish |
| Status | clientTransferProhibited |
The share-dns.com/share-dns.net nameserver pool is the operational fingerprint — every one of these 22 domains, plus the Core DAO impersonation and the matching chat platform (see below), points at the same two-domain share-dns nameserver infrastructure. That's the single point of failure and the cleanest place for defenders to cut the operation off.
The Three-Subdomain Architecture
Certificate Transparency reveals a consistent subdomain layout on every one of the 22 apex domains:
| Subdomain | Role | Observed |
|---|---|---|
www. | Victim-facing scam content | www.uierot.com → 企业补贴 lure |
api. | PHP backend API | api.tierefd.cyou returns 403 Forbidden (gated API) |
Random prefix (e.g., gh., df., a1y., sss.) | Operator admin panel | All 22 observed |
The random-prefix pattern for operator panels is a deliberate obscurity-by-unguessability move — victims never see the admin subdomain, so it doesn't need to be guessable or memorable, and unique-per-apex random prefixes make it harder for defenders to enumerate all operator panels from a single known pattern.
The Technology Stack
Operator-facing admin panel
Vue.js 3 + Element Plus (UI framework)
Vuex (state management)
Vue Router
Axios (HTTP client)
Lodash
@fingerprintjs — device fingerprinting (for operator auth / abuse detection)
tsparticles — login-page visual effects
nginx
Let's Encrypt R10/R11 TLS
Victim-facing scam page
Vue.js + Vite
Vuex + Vue Router + Axios
crypto-js — client-side encryption (encrypts victim form data before POST)
@fingerprintjs — device fingerprinting (for victim tracking)
PHP backend at /api.php/index/config
nginx + Let's Encrypt
FingerprintJS on both sides is the tell. The operator fingerprints victims for tracking and targeting. The operator also fingerprints their own operators — meaning the admin panel watches who's logging in from where, and locks operators to specific devices. That's consistent with either a multi-tenant PhaaS model (like the TMoscow Bot case we wrote up today) or with an organized operator group that's trying to prevent panel-credential reuse if a device gets compromised.
The crypto-js client-side encryption on the victim side is a defender-evasion move — if a security researcher or browser extension tries to intercept the form POST, the payload is already encrypted before transmission. The key is embedded in the Vue bundle, so the encryption is not cryptographically meaningful, but it's enough to defeat naive inline scanners.
The Subnet — 118.107.43.0/24
Subnet enumeration via Shodan InternetDB reveals 154 responsive hosts forming a multi-purpose cybercrime hosting cluster. The same operator (or at minimum, operators sharing the same infrastructure + registrar + DNS stack) appears to be running at least four parallel verticals:
Vertical 1 — Subsidy-fraud admin panels (the core operation)
.65— our target, 22+ rotating scam domains,企业补贴enterprise-subsidies lure
Vertical 2 — Core DAO cryptocurrency scam
.140,.141,.149— all three hosts servecore.coredao.netas hostname, running nginx + MySQL 8.0.20 + SSH
coredao.net is an impersonation of the legitimate Core DAO blockchain project. The domain was re-registered on 2026-02-12 via Gname.com with the same share-dns nameservers. Historical CT log entries from 2023 (scam.coredao.net, stake.coredao.net) suggest the domain has a prior abuse history from earlier actors — whoever is running it now picked up an already-burned name and stood up a fresh impersonation site. Crypto users searching for Core DAO hit this site, not the legitimate .org, and lose funds to whatever wallet-approval or stake-to-scam flow the operator runs.
Vertical 3 — Online gambling (Chinese-language)
.166,.188,.197— mail servers (Postfix) hosting:1668855.com,1668877.com(GoDaddy, 2025-09-21)668811.vip,886622.vip(GoDaddy, 2025-09-16)pchomb.com
.153,.156,.158— web + MySQL hostingmrjsb.com(Xin Net registrar)
Numeric .com / .vip domains are the Chinese gambling TLD pattern. These are hosted on the same /24 but not under the same registrar as the subsidy-fraud cluster — GoDaddy + Xin Net rather than Gname. The gambling operation may be a separate tenant of the same hoster rather than the same operator.
Vertical 4 — Operator chat platform
.53— SSH + port 10001, DNS resolvestongxinsq.comhere.54,.58— MinIO + nginx, hostnamechat.tongxinsq.com
tongxinsq.com means 通信社区 — "Communication Community". Registered 2026-03-20 through GMO/Onamae.com, but uses share-dns nameservers — meaning the DNS stack ties it back to the Gname cluster even though the registration is a different vendor. That's a strong tell: different registrar, same operator DNS infrastructure. The chat platform is most plausibly the operator's internal communication channel for coordinating the scam campaigns across team members.
Vertical 5 — Shared backend infrastructure
.45,.49,.52— MinIO object storage + nginx + SSH (CentOS 7, OpenSSH 7.4).142,.160,.165— Elasticsearch clusters.203— RabbitMQ (port 15672) message queue.208,.220,.228— MySQL 8.0.44 + Redis + nginx (database tier)
This backend tier is the plumbing underneath all the front-facing scam verticals — object storage for phishing kit assets and victim data, Elasticsearch for search/analytics, a message queue for async processing, and a MySQL/Redis DB tier. Standard microservice shape, applied to cybercrime operations.
Vertical 6 — Windows operator infrastructure
.5,.6,.7— SMB hosts, CVE-2020-0796 (SMBGhost) flagged.20,.23— RDP (3389) with self-signed certs.25,.26,.28,.44,.46,.47— WinRM (5985) — operator admin machines.193,.200— WinRM + port 47001
The Windows operator infrastructure is vulnerable to SMBGhost — a 2020 remote code execution vulnerability (CVE-2020-0796) that remains unpatched on multiple hosts. For enforcement partners, that's a disruption lever: the operators' own infrastructure is RCE-vulnerable to a well-known, well-tooled exploit.
Additional scam clusters
.184,.187,.191—000003.shop— Neo4j (port 7474) + MySQL 5.6 + nginx.164,.174—xslnyjaansvmiulu.cc— another gibberish domain.27—r8q4j1j4m2.cc— gibberish domain, Gname.com registrar, Zabbix agent (10050).181— URL shorteners:y62.me,75f.la,7fb.me,gxxtky.com,pm.xq2024.com.210,.212,.222—aa.xg618.xyz- Certificate cross-discovery:
diferd.cyou's cert includeswww.jrhdec.cyouin SAN — an additional sibling domain not discoverable any other way
Confidence Table
| Claim | Confidence | Basis |
|---|---|---|
.65 hosts Chinese-language scam admin panels | HIGH | URLScan direct captures with screenshots of 後台管理系統 / 企业补贴 pages |
| Same operator runs all 22 rotating domains | HIGH | Identical registrar + DNS + tech stack + registration timing |
coredao.net is run by the same operator | HIGH | Same registrar (Gname), same share-dns nameservers |
tongxinsq.com chat is the same operator's comms | MEDIUM | Different registrar, but shared share-dns DNS infrastructure |
| Gambling subcluster is the same operator | LOW-MEDIUM | Same hoster + /24, but different registrars (GoDaddy, Xin Net) — could be co-tenants |
| Operator is a Chinese-speaking organized group | HIGH | Mandarin admin panels + Mandarin fraud themes + Chinese registrars |
| Backend infrastructure tier is shared across verticals | MEDIUM-HIGH | MinIO / Elasticsearch / MySQL / Redis distribution pattern consistent with multi-tenant backend |
Detection & Hunting
Block list
# Subnet
118.107.43.0/24
# Registrar infrastructure
a[1-9].share-dns.com
b[1-9].share-dns.net
# Core DAO impersonation
coredao.net
core.coredao.net
# Operator chat
tongxinsq.com
chat.tongxinsq.com
# 22 subsidy-fraud domains
tdbfoi.com iytegfc.com hibnec.com iebgts.com opbger.com
iehtdf.com uierot.com fdjfljx.com dfjelr.com dflkjel.com
idhfbt.com brterxc.com oredft.com
uifetdc.cyou ifhertx.cyou hbiuer.cyou tierefd.cyou bgrete.cyou
diferd.cyou edisdj.cyou biredes.cyou rduehx.cyou
# Cross-cert discovery
jrhdec.cyou
# Gambling subcluster
1668855.com 1668877.com
668811.vip 886622.vip
pchomb.com mrjsb.com
# Additional scam clusters
000003.shop biangzh.cloud xg618.xyz
xslnyjaansvmiulu.cc r8q4j1j4m2.cc
Hunting queries
- Title hunt — any page titled
后台管理系统(Backend Management System) served from a non-enterprise domain, especially on.cyouTLDs - Title hunt —
企业补贴(Enterprise Subsidies) on any domain not ending in.gov.cn - Nameserver hunt — DNS queries to
a[1-9].share-dns.com/b[1-9].share-dns.netfrom corporate networks - FingerprintJS hunt —
@fingerprintjsbundle loads from domains with gibberish apex names on.com/.cyouTLDs - API endpoint hunt —
/api.php/index/configURL pattern - Stack hunt — Vue.js + Element Plus apps served from randomly-named domains registered within 30 days of observation
- Registrar hunt — new domain registrations via Gname.com Pte Ltd using share-dns nameservers under random-string apex patterns
Cert Transparency hunt
Any new crt.sh entry for a domain with:
- Gibberish 5-7 character apex name
- Subdomains matching
www./api./[random-prefix].three-tier pattern - Let's Encrypt R10/R11 issuer
- Cross-cert SANs linking to other gibberish domains
Disclosure
- CTG Server Ltd abuse —
cs.mail@ctgserver.com - RACKIP Consultancy —
abuse@rackip.com - Gname.com abuse —
complaint@gname.com(primary registrar for the 22 scam domains +coredao.net) - APNIC — for abuse of the assigned
118.107.40.0/21address space - Core DAO project — for the
coredao.netimpersonation (legit project is atcoredao.org) - CNCERT/CC — primary-victim-side notification for the Chinese subsidy-fraud targets
Chinese organizations (or any organization with Chinese-speaking employees) should search proxy/firewall/email logs for connections to the 118.107.43.0/24 range, especially during the July–August 2025 window when the domain rotation was at peak, and audit for any employees who may have engaged with 企业补贴 (Enterprise Subsidies) themed content.
GHOST — Breakglass Intelligence "One indicator. Total infrastructure."