highPhishing

GoldFX: One APK Hash, Five Domains, and a Chinese Crypto Fraud Operation Running on Alibaba Cloud

PublishedMarch 12, 2026

Threat Actors:fingerprint. The operation is LIVE as of March 11, 2026.ProfileAssessmentTimelines will likely register new domains

phishingsocial-engineeringc2apt

TL;DR: A single Android APK hash on MalwareBazaar -- a WebView trojan disguised as a crypto trading app called "GOLDFX" -- led to the discovery of a 5-domain Chinese-operated investment fraud operation with live infrastructure, parallel redundant platforms, and dual Android/iOS targeting. All five domains were registered on the same day (January 31, 2026) through the same registrar (Gname.com), share the same Cloudflare nameserver pair, and back into the same RuoYi v3.8.5 admin framework. The operator left a trail of attribution artifacts: the developer namespace com.bobo.test leaked from a test build, Chinese-language comments embedded throughout the JavaScript, a build timestamp baked into the APK certificate, Ximalaya (Chinese audio platform) SDK references, and assets stored on Alibaba Cloud OSS in Singapore. The APK has a 15.8% antivirus detection rate and the entire operation -- including the live APK download endpoint at gfdluni[.]top/app.apk -- remains fully operational as of March 11, 2026. This is a textbook pig butchering operation: social engineering on messaging apps, a convincing fake trading interface, and infrastructure designed to steal deposits while collecting victim location data and device fingerprints.

From a Hash to a Fraud Network in One Pivot

Most crypto fraud operations are discovered through victim reports or ad fraud detection. This one started with a hash.

On March 10, 2026, a researcher named "jitesh" from India uploaded an Android APK to MalwareBazaar. It was tagged as a trojan and dropper, with a paltry 12 out of 76 antivirus detections. The file was 5.1MB, packaged under com.nuiy.uuxe, and called itself "GOLDFX" -- a name that screams fake investment platform.

The APK itself was a WebView wrapper -- essentially a thin Android shell that loads a web-based trading platform. That is not unusual for scam apps. What was unusual was how much the operator left exposed. Pulling the thread from the APK's hardcoded URL (gfxuni[.]top) led to the discovery of five domains, ten subdomains, parallel redundant platforms, an unauthenticated configuration API, a Chinese admin framework with the CAPTCHA disabled, and an Alibaba Cloud storage bucket named "lbma" -- likely a nod to the London Bullion Market Association, because even fraud operators have aspirations.

What Was Found vs. What Was Known

Aspect	Prior Reporting	Our Findings
Infrastructure	1 sample on MalwareBazaar, no C2 analysis	5 domains, 10+ subdomains, Alibaba Cloud storage
C2 Domains	Unknown	gfxuni[.]top -> goldfxbb[.]com + goldfxee[.]com (parallel platforms)
Download Infrastructure	Unknown	gfdluni[.]top actively serving APK + iOS mobileconfig
Backend Technology	Unknown	RuoYi v3.8.5 (Chinese admin framework), Spring Boot/Java API
Platform Capabilities	Tagged "trojan" + "dropper"	Full fake trading platform: deposit, withdraw, copy-trade, IEO, NFT
Attribution Indicators	None	Developer namespace "com.bobo.test", Chinese-language comments, Alibaba Cloud
iOS Targeting	Unknown	Signed mobileconfig Web Clip targeting iOS users
Detection Rate	12/76 (15.8%)	Confirmed low detection -- most AV engines do not flag it

The Attack Chain: From WhatsApp to Wallet Drain

[1. Victim Discovery]
    Social engineering via messaging apps (WeChat, WhatsApp, Telegram)
    Romance scam / crypto investment group / "insider tips"
         |
         v
[2. Distribution Gateway]
    gfxuni[.]top -- landing page with Chinese text
    JavaScript detects mobile UA, redirects to /1.html
    WeChat browser detection (micromessenger check)
         |
         v
[3. App Download]  (gfdluni[.]top)
    Android: /app.apk  --> WebView trojan (5.1MB)
    iOS: /app.mobileconfig --> Signed Web Clip profile
         |
         v
[4. Fake Trading Platform]
    h5.goldfxbb[.]com (victim-facing frontend)
    webapi.goldfxbb[.]com (Spring Boot API backend)
    Fake market data, deposit/withdrawal, copy trading, IEO
    GPS location tracking, device fingerprinting
         |
         v
[5. Operator Control Panel]
    bitadmin.goldfxbb[.]com (admin dashboard)
    adminapi.goldfxbb[.]com (RuoYi v3.8.5, CAPTCHA disabled)
    Manages victim accounts, controls fake market prices
         |
         v
[6. Redundant Backup]
    goldfxee[.]com mirrors entire goldfxbb[.]com structure
    Same subdomains: h5, webapi, adminapi, bitadmin
    Instant failover if primary gets taken down

The operation targets both Android and iOS users. Android victims get a full WebView trojan APK that wraps the trading platform. iOS victims receive a signed .mobileconfig profile that installs a Web Clip -- essentially a home screen shortcut that looks and behaves like a native app but loads the web platform. Both paths funnel victims into the same fake trading interface.

The landing page at gfxuni[.]top includes a check for the WeChat browser user agent string (micromessenger), which tells us that at least some victim traffic is expected to arrive via WeChat links -- a common distribution vector for pig butchering operations targeting Chinese-speaking victims and the broader Southeast Asian diaspora.

Infrastructure: Five Domains, One Operator, Zero Doubt

All five domains share a registration pattern that makes unified ownership trivially provable.

Domain	IPs (Cloudflare)	Registrar	Created	NS Pair	Purpose
gfxuni[.]top	104.21.31.84, 172.67.175.127	Gname.com	2026-01-31	demi/george	Distribution gateway
goldfxbb[.]com	172.67.185.5, 104.21.84.21	Gname.com	2026-01-31	demi/george	Primary platform
goldfxee[.]com	172.67.128.210, 104.21.2.60	Gname.com	2026-01-31	demi/george	Backup platform
gfdluni[.]top	104.21.33.242, 172.67.193.251	Gname.com	2026-01-31	demi/george	APK/config download
igmails[.]vip	N/A	Unknown	Unknown	nitin/sandra	Complaint email domain

Same registrar. Same registration date. Same Cloudflare nameserver pair (demi.ns.cloudflare.com / george.ns.cloudflare.com). A shared NS pair means a shared Cloudflare account, which means a single operator controlling all four primary domains. The fifth domain (igmails[.]vip) is used for the "complaint email" address displayed on the platform -- a touch of legitimacy theater.

Behind Cloudflare, the backend runs Java/Spring Boot for the API layer (confirmed by Java stack traces in 500 error responses -- always test your error handling, folks) and RuoYi v3.8.5 for the admin interface. RuoYi is a Chinese open-source admin framework built on Spring Boot, and every error message it produces is in Chinese. It is the equivalent of finding a WordPress installation with Chinese language packs -- not definitive attribution by itself, but a strong signal when combined with everything else.

Cloudflare (CDN/WAF)
  |
  +-- demi.ns.cloudflare.com / george.ns.cloudflare.com
  |   (shared NS pair = single Cloudflare account)
  |
  +-- gfxuni[.]top (distribution gateway)
  +-- goldfxbb[.]com (primary trading platform)
  +-- goldfxee[.]com (backup trading platform)
  +-- gfdluni[.]top (APK/mobileconfig download)
  |
  +-- Origin Server(s) -- unknown, behind Cloudflare
      +-- Java/Spring Boot (webapi -- 500 errors with Java traces)
      +-- RuoYi v3.8.5 (adminapi -- Chinese admin framework)
      +-- Vue.js SPA (h5 frontend, bitadmin panel)
      |
      +-- Alibaba Cloud OSS (Singapore) -- asset storage
          Bucket: lbma.oss-ap-southeast-1.aliyuncs.com

The APK: A Trojan That Tracks Your GPS

Property	Value
SHA-256	`31b0624d16882eec282adc3817b18e4c8b3c80a9dbaa82e057a902cf7a27732b`
MD5	`1ff84128a336abc72a3c2944608dd952`
Package	com.nuiy.uuxe
App Name	GOLDFX
Version	6.0
Min SDK	23 (Android 6.0)
Target SDK	32 (Android 12L)
Build Tools	Kotlin 1.8.20, Gradle 7.2
VT Detection	12/76 (15.8%)

The APK is more than a simple WebView wrapper. The application architecture includes:

H5Activity: Full-screen WebView that loads https://gfxuni[.]top on launch
JSBridge Framework (com.smallbuer.jsbridge): Two-way bridge enabling the web frontend to invoke native Android capabilities -- this is how the web app can request GPS coordinates and device info
LocationUtil with MyLocationListener: Custom GPS tracking implementation that collects victim coordinates
OkHttpHelper.initTrustManager: Custom TrustManager that disables SSL certificate validation -- the app will trust any certificate, making it trivial for the operator to intercept and modify traffic
NetworkStateReceiver: Monitors network changes, likely to detect when the victim switches networks
HistoryDatabase (com.bobo.db.HistoryDatabase): Room database that stores browsing history using the developer's leaked test namespace

The SSL bypass is particularly concerning. With certificate validation disabled, all victim traffic -- including login credentials and financial information -- flows through connections that an intermediary could intercept without triggering any security warnings in the app.

Developer Fingerprints: "Bobo" Left the Lights On

Artifact	Value	Significance
Developer namespace	com.bobo.test	Leaked test package name -- "bobo" is Chinese slang/nickname
Cert timestamp	1769868794059 (ms)	Embedded in O and OU fields = 2026-01-31T14:13:14Z
Cert CN	qymi	Possibly initials or alias
Build tools	Kotlin 1.8.20, Gradle 7.2	Android Studio 2023+
Chinese comments	"dynamic refresh JS", "generate 4-digit random", "website under construction"	Native Chinese speaker
Adobe Photoshop	"Adobe Photoshop 2025 Macintosh"	Icon created on macOS
Ximalaya reference	XimalayaKotlin	Chinese audio platform SDK

The com.bobo.test namespace is the most valuable attribution fingerprint. This is a developer test namespace that was never cleaned from the production build -- the Room database class com.bobo.db.HistoryDatabase still references it. "Bobo" is a common Chinese colloquial name or nickname, and its presence in a test namespace suggests a Chinese developer who builds and tests under their personal identifier.

The APK signing certificate contains a Unix timestamp (1769868794059 milliseconds) embedded in both the Organization and Organizational Unit fields, resolving to January 31, 2026, 14:13:14 UTC. Cross-referencing with the domain registration timeline, this means the APK was signed approximately three hours after the domains were registered -- the entire operation from domain purchase to APK deployment happened in a single afternoon.

The certificate itself has a 50-year validity window (2026 to 2076). Legitimate app certificates are typically valid for 25-30 years. Fifty-year validity is a common indicator of automated or malware-related certificate generation.

Nine Indicators of Chinese Origin

RuoYi v3.8.5 framework: Chinese open-source admin framework, all error messages in Chinese
Chinese UI text: Landing page includes "website under construction" and "complaint email" in Chinese
Developer namespace: "com.bobo.test" -- "bobo" is a common Chinese nickname
Ximalaya SDK: Reference to the Chinese audio platform in the APK
JavaScript comments: "dynamic refresh JS", "generate 4-digit random number" -- in Chinese
Alibaba Cloud: OSS bucket in Singapore -- the standard deployment region for Chinese operations targeting Southeast Asia
Gname.com registrar: Singapore-based registrar popular with Chinese operators
OSS bucket name: "lbma" (London Bullion Market Association) -- gold/forex theme consistent with Chinese investment scam patterns
WeChat detection: Landing page checks for the micromessenger user agent -- targeting WeChat users

No single artifact would be sufficient. Nine independent indicators across code, infrastructure, and content create HIGH confidence in Chinese origin.

OPSEC Failures

The operator made at least seven distinct operational security mistakes:

Developer test namespace com.bobo.test left in the production binary
APK certificate contains plaintext Unix timestamp of the build time
Site config endpoint (/api/common/getSiteConfig) returns the full infrastructure map without authentication
CAPTCHA disabled on the admin login panel
RuoYi version string exposed on the root endpoint
Chinese language artifacts throughout (comments, error messages, UI text)
Adobe Photoshop macOS metadata in the mobileconfig icon

The unauthenticated config endpoint is particularly egregious. Hitting webapi[.]goldfxbb[.]com/api/common/getSiteConfig returns a JSON response that maps out the entire platform infrastructure -- domain relationships, feature flags, and configuration details -- without requiring any authentication. It is the operational equivalent of taping your network diagram to the front door.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Phishing	T1660	Social engineering via messaging apps
Execution	Native API	T1575	JSBridge native code execution
Persistence	Web Clip	T1398	iOS mobileconfig installation
Defense Evasion	Masquerading	T1655.001	Disguised as legitimate trading app
Defense Evasion	Code Signing Policy Modification	T1632	Custom TrustManager bypasses SSL validation
Credential Access	Clipboard Data	T1414	Clipboard monitoring via WebView
Discovery	System Information Discovery	T1426	Device info collection (CPU, memory, IMEI)
Discovery	System Network Configuration	T1422	Network state monitoring, MCC query
Collection	Location Tracking	T1430	GPS coordinate collection via LocationUtil
Command and Control	Web Protocols	T1437.001	HTTPS communication via OkHttp
Impact	Financial Theft	T1657	Fake trading platform steals deposits

Indicators of Compromise

File Indicators

# GoldFX APK
SHA256: 31b0624d16882eec282adc3817b18e4c8b3c80a9dbaa82e057a902cf7a27732b
MD5:    1ff84128a336abc72a3c2944608dd952
SHA1:   39d8cd558c8ed1e2fb17efdf627663f728f3a77f

# APK Signing Certificate
SHA256 Thumbprint: 430516c18afa0c9b8c90c90609aa5dd2833e878cbff4fe5791234917011afa0b
Serial: 0x74658c3
CN: qymi
O: qa1769868794059

Network Indicators

# Distribution Domains (defanged)
gfxuni[.]top                     (distribution gateway)
goldfxbb[.]com                   (primary platform)
goldfxee[.]com                   (backup platform)
gfdluni[.]top                    (APK/mobileconfig download)
igmails[.]vip                    (complaint email domain)

# Subdomains (defanged)
h5[.]goldfxbb[.]com              (victim trading frontend)
webapi[.]goldfxbb[.]com          (backend API)
adminapi[.]goldfxbb[.]com        (RuoYi admin API)
bitadmin[.]goldfxbb[.]com        (admin panel)
h5[.]goldfxee[.]com              (backup trading frontend)
webapi[.]goldfxee[.]com          (backup API)
adminapi[.]goldfxee[.]com        (backup admin API)
bitadmin[.]goldfxee[.]com        (backup admin panel)

# Cloud Storage (defanged)
lbma.oss-ap-southeast-1.aliyuncs[.]com    (Alibaba Cloud OSS)

# Live Download URLs (defanged)
hxxps://gfdluni[.]top/app.apk
hxxps://gfdluni[.]top/app.mobileconfig
hxxps://webapi[.]goldfxbb[.]com/api/common/getSiteConfig

# Operator Contact
support@igmails[.]vip

Behavioral Indicators

# Android Package
com.nuiy.uuxe                    (package name)
com.bobo.test                    (developer namespace)
com.nuiy.uuxe.H5Activity         (main activity)
com.bobo.db.HistoryDatabase       (Room database)
WebViewJavascriptBridge           (JSBridge framework)

# App Behavior
SSL certificate validation bypass
GPS location collection
Clipboard monitoring
Network state monitoring

Recommended Actions

Immediate (24-48 hours)

Block all identified domains and IPs at the network perimeter
Check enterprise MDM for devices with package com.nuiy.uuxe installed
Report domains to Cloudflare abuse (phishing/fraud classification)
Alert any users who may have visited Booking.com-adjacent investment platforms

Short-term (1-2 weeks)

Submit IOCs to ThreatFox and URLhaus
Report to Gname.com registrar for domain suspension
Alert relevant CERTs (IN-CERT, SG-CERT) given targeting indicators
Search for related samples on MalwareBazaar using the TLSH fuzzy hash
Monitor crt.sh for new certificate issuances on these domains

Medium-term (1-3 months)

Track "com.bobo" namespace across app repositories and MalwareBazaar for related samples
Monitor Alibaba Cloud OSS bucket for changes
Watch for domain rotation -- these operators will re-register under new names
Coordinate with law enforcement on financial fraud investigation
Report to Alibaba Cloud for hosting abuse (OSS bucket lbma in ap-southeast-1)

References

MalwareBazaar: https://bazaar.abuse.ch/sample/31b0624d16882eec282adc3817b18e4c8b3c80a9dbaa82e057a902cf7a27732b/
Triage Sandbox: https://tria.ge/reports/260310-zbdrjabx6r/
CERT-PL MWDB: https://mwdb.cert.pl/sample/31b0624d16882eec282adc3817b18e4c8b3c80a9dbaa82e057a902cf7a27732b/
RuoYi Framework: https://github.com/yangzongzhuan/RuoYi-Vue
Kaspersky OpenTIP: https://opentip.kaspersky.com/31b0624d16882eec282adc3817b18e4c8b3c80a9dbaa82e057a902cf7a27732b/

Published by Breakglass Intelligence. Investigation conducted 2026-03-11. 1 APK hash. 5 domains. 9 Chinese-origin indicators. 1 developer who forgot to rename their test namespace. Classification: TLP:CLEAR