Silver Fox Registered Their Banking Trojan Panels Under a Real Name: The 罗泉 / ylfwq002@gmail.com OPSEC Burn

TL;DR

While pivoting on the Silver Fox / APT-Q-27 infrastructure documented in yesterday's ValleyRAT Telegram lang-pack post, we followed one of the related C2 nodes (47.86.49.173 on Alibaba Cloud Hong Kong) into its passive-DNS history and then into its registrar records. Twelve .cn domains on that cluster are registered, without privacy protection, to a single human:

Registrant name:   罗泉 (Luo Quan)
Registrant email:  ylfwq002@gmail.com
Registrar:         Web Commerce Communications Limited (Gname.com)

The twelve domains read like a product catalog for the operator's side of a banking-trojan operation. They're provisioned in numbered batches:

jackadmin1.cn  jackadmin2.cn  jackadmin3.cn  jackadmin4.cn  jackadmin5.cn
jackbank1.cn   jackbank2.cn   jackbank3.cn   jackbank4.cn   jackbank5.cn
trnebaiek.cn   eijmdixci.cn

Two suggestive names — jackadmin reads like a C2 admin panel hostname, jackbank reads like a banking trojan overlay / fraud panel hostname — repeated five times each as a pre-provisioned batch for when the previous set gets burned. Plus two random-string C2 domains (trnebaiek.cn, eijmdixci.cn) on the same registrant for good measure.

Direct human attribution to a Silver Fox operator is rare in the public record. The actor's standard OPSEC posture is Gname.com bulk registration under privacy proxies, random-string domain names, numbered batches, and rapid rotation. For twelve operationally-named domains to all land on the same registrant email without privacy — and for that email to be a personal gmail.com address rather than a burner — is an operator OPSEC failure of the kind that normally gets scrubbed before the first phishing sample ever leaves the author's workstation.

What this report adds to the public record:

• Full WHOIS attribution chain tying jackadmin1-5.cn + jackbank1-5.cn + trnebaiek.cn + eijmdixci.cn to 罗泉 (Luo Quan) / ylfwq002@gmail.com
• Confirmation that the 360news1-11.icu cluster on Alibaba Cloud HK (7+ IPs across 47.86.0.0/16 / 47.242.0.0/16 / 47.57.0.0/16 / 47.239.0.0/16) shares infrastructure with the jackadmin / jackbank panels — binding the panel operator to the broader Silver Fox distribution network
• A published timeline showing the operator has been running on this namespace continuously since March 2025, and that yesterday's ValleyRAT ZPAQ sample (2cb56149…) is bound to this same infrastructure cluster

If you've already published reporting on ylfwq002@gmail.com, 罗泉, jackadmin.cn / jackbank.cn, or the 360news*.icu cluster, please reply or DM — we'll update and credit.

---

The Registrant

Field	Value
Name	罗泉 (Luo Quan)
Email	ylfwq002@gmail.com
Registrar	Web Commerce Communications Limited (Gname.com)
Registration window	2025-03-09 → 2025-03-28
Expiry	2027-03-09 / 2027-03-28 (two-year prepay)

Twelve domains, all registered inside a three-week burst in March 2025, all prepaid for two years. That provisioning shape — batch registration, two-year prepay — is what infrastructure-prep-ahead-of-campaign looks like when the operator doesn't expect to be moved off quickly.

The Twelve Domains

The operator-branded eight

Domain	Suggested role
jackadmin1.cn	C2 admin panel (first in rotation)
jackadmin2.cn	C2 admin panel (hot spare)
jackadmin3.cn	C2 admin panel (hot spare)
jackadmin4.cn	C2 admin panel (hot spare)
jackadmin5.cn	C2 admin panel (confirmed active on 47.57.10.173 subdomain range)
jackbank1.cn	Banking trojan overlay / fraud panel
jackbank2.cn	Banking trojan overlay / fraud panel
jackbank3.cn	Banking trojan overlay / fraud panel
jackbank4.cn	Banking trojan overlay / fraud panel
jackbank5.cn	Banking trojan overlay / fraud panel (confirmed active on 47.57.10.173 subdomain range)

jackadmin5.cn and jackbank5.cn are the two that have visible subdomain trees — 47.57.10.173 (Alibaba Cloud HK) hosts jackadmin5.cn subdomains 1 through 10 and jackbank5.cn subdomains a1–a4 + 1–2 alongside 22 additional domains including old e-commerce properties (yzoshop, hdls888, xiaoyazi666). The 47.57.10.173 box has a multi-year e-commerce hosting history that predates the malware era — same operator, long-term tenant, infrastructure cycling between cover roles and active operations.

The two random-string companions

trnebaiek.cn and eijmdixci.cn are the classic Silver Fox random-string C2 domain shape — same registrar, same registrant, same week in March 2025. The reason they matter is that they anchor the rest of the cluster to the documented Silver Fox tradecraft. When you see a known-good random-string Silver Fox C2 domain sitting at the same registrant email as a jackadmin panel, the panel's Silver Fox membership is no longer an inference.

The Hosting Cluster

All twelve of Luo Quan's domains — plus the 360news*.icu Qihoo 360 impersonation cluster, plus the qqmusic2-5.com QQ Music typosquats — live on a seven-IP Alibaba Cloud Hong Kong footprint:

IP	Role	Hosted content
47.86.49.173	C2 node	360news7.icu, 360news8.icu, qqmusic4.com, eijmdixci.cn, job3.trnebaiek.cn
47.242.113.81	C2 node	360news1.icu, 360news3.icu, 360news5.icu
47.57.10.173	C2 + admin panels	360news4.icu, jackadmin5.cn.*, jackbank5.cn.*, + 22 historical e-commerce domains
47.86.53.59	C2 node	360news6.icu
47.239.165.230	C2 node	360news11.icu
8.217.201.7	C2 node	qqmusic2.com
95.173.197.195	Distribution hub	288 SEO-poisoning domains (see below)

Every IP in that list, with the exception of 95.173.197.195, is Alibaba Cloud Hong Kong (AS45102). The actor picked one cloud provider, one region, one registrar, and one personal Gmail account for the entire setup.

What's on 47.86.49.173 right now

At the time of our scan (2026-04-08), the target IP was alive but heavily firewalled. All common ports are filtered; 80/443/3389 are explicitly closed (RST). The ValleyRAT high ports (22011/22012/1080/8852/5040) are all filtered. But DNS records for 360news7.icu and 360news8.icu still actively resolve to this IP — the operator has either decommissioned the listener while keeping the DNS in place, moved to IP-allowlisted access, or shifted their C2 ports without updating DNS.

What's on 95.173.197.195

The 288-domain megacluster deserves its own paragraph. It's a single-IP SEO poisoning distribution hub running multiple thematic clusters:

Cluster	Pattern	Approx count	Purpose
ydbao	ydbao1-56.cyou	56	Unknown brand impersonation
xiazaizhadia	xiazaizhadia1-60.cyou	60	"下载站的" (download site) generic lure
guwaanzh	guwaanzh1-40.cyou	40	"官网zh" (official website zh) fake official sites
anzhxixz	anzhxixz1-25.{cyou,icu}	40	"安装下载" (install download) lures
Software typosquats	[brand]-www.cyou	80+	Per-brand impersonation

The software typosquat subcluster is the one worth staring at. The actor is impersonating a who's-who of desktop software across categories — and is brazen enough to typosquat the antivirus vendors whose products will be the first thing a victim disables after infection:

Category	Impersonated brands (partial)
AI tooling	DeepSeek
Collaboration	Microsoft Teams
Remote access	AnyDesk, ToDesk
Browsers	Firefox, Edge, 360 Browser
Messaging	Telegram (via telegrtam.com.cn), Signal, Line, Zalo, KakaoTalk, Potato
Gaming	Steam
Music	QQ Music, Kugou, 163 Music
Streaming	iQiyi, Huya
Input methods	Sogou
Photo / social	Meitu, Xiaohongshu
Translation	Youdao, DeepL
Security	Huorong (火绒) antivirus, Ludashi
Other	Baofeng, Bandicam, BitBrowser

Impersonating Huorong antivirus is the most cynical entry on the list — it specifically targets users who are actively trying to install a security product and funnels them into malware instead. Kakaotalk, Zalo, and Line impersonation indicate the actor is also targeting Korean, Vietnamese, and Japanese markets beyond the primary mainland-Chinese victim base.

The "360news" Qihoo Impersonation

All eleven 360news*.icu domains were bulk-registered on 2025-07-29 through Gname.com (Singapore), with 360news11.icu added two weeks later on 2025-08-13. Nameserver pattern: A[N].SHARE-DNS.COM / B[N].SHARE-DNS.NET — the bulk-registration signature.

The name "360news" is a deliberate typosquat of Qihoo 360 (奇虎360), the largest Chinese cybersecurity vendor. Hosting fake "Qihoo 360 Security" download pages under a .icu TLD is low-effort social engineering that only needs to fool the subset of users who don't check domain suffixes carefully — and at 288 distribution domains plus 11 "360news" impersonation subdomains plus the jackadmin / jackbank panel infrastructure, this is not a hobby operation.

The Malware Samples Bound to This Cluster

Two samples reference this infrastructure in their configuration or drop-site lists:

SHA256	Family	Relation
2cb5614936ef42e52c44ebb7b758bf57fde6c7b2d68cc21a7ec94d2f0adb3435	SilverFox / Winos4.0 Qt loader (yesterday's sample)	Compiled 2026-04-08; lists Alibaba Cloud HK IPs including nodes in this cluster
40750c5d1422a9d4c4161cbe0a2d8f32fc5537265665961002f96f8290c29116	ValleyRAT S2	Campaign-level infrastructure overlap

Yesterday's blog covered the Winos4.0 Qt loader end-to-end. What we didn't surface yesterday was the registrant identity behind the C2 cluster — because we hadn't yet run the registrant pivot across the jackadmin / jackbank domains. Today's post closes that loop.

Why This Is a Rare Attribution

Silver Fox / APT-Q-27 is a well-documented Chinese-nexus actor with extensive public reporting from Fortinet, Forescout, Qi'anxin, Nextron Systems, ReliaQuest, and others. What's not in the public reporting is a named human operator. The group's standard infrastructure posture has always been:

1. Gname.com bulk registration under WHOIS privacy services
2. Random-string domain names (the trnebaiek / eijmdixci pattern)
3. Numbered batches of pre-provisioned infrastructure
4. Rapid rotation between bulletproof cloud providers (Alibaba Cloud HK, Tencent Cloud HK, CTG Server Ltd, Antbox Networks)
5. Mandarin-only operational indicators kept out of WHOIS

The jackadmin / jackbank naming convention is already a break from the random-string standard. The fact that twelve of them all sit on the same personal gmail.com address without privacy protection is a second, worse break. Either the operator slipped, or the address isn't really a personal Gmail — it could be a compartmented operator handle, a team-shared mailbox, or an identity that was deliberately burned to misdirect attribution.

Our confidence on the direct connection between this email and a real individual named 罗泉 is HIGH on the WHOIS linkage and MEDIUM on whether 罗泉 is a real-world identity vs a burner. The linkage is what we can prove; the ground truth of who sits behind the email is a question for law enforcement with subpoena power, not for OSINT.

Confidence Table

Claim	Confidence	Basis
ylfwq002@gmail.com registered the twelve listed domains	HIGH	Direct WHOIS lookup via Web Commerce Communications / Gname
The jackadmin/jackbank cluster is Silver Fox infrastructure	HIGH	Shared hosting with 360news cluster + malware samples referencing the same IPs
罗泉 is the real name of an individual Silver Fox operator	MEDIUM	Could be a real identity, a burner, or a team-shared handle — no ground-truth validation
The jackbank domains host banking-trojan fraud overlays	MEDIUM	Strong inferential read from the name + the actor's documented TTPs; not directly observed
This is one of multiple Silver Fox operator subcells	HIGH	The 47.57.10.173 multi-year e-commerce → malware history suggests long-term tenancy distinct from the rest of the Silver Fox infrastructure rotation

Detection & Hunting

Immediate blocks

• Domain blocks (the twelve registrant-linked):

  jackadmin1.cn  jackadmin2.cn  jackadmin3.cn  jackadmin4.cn  jackadmin5.cn
  jackbank1.cn   jackbank2.cn   jackbank3.cn   jackbank4.cn   jackbank5.cn
  trnebaiek.cn   eijmdixci.cn
  

• Domain blocks (the 360news cluster):

  360news1.icu  360news3.icu  360news4.icu  360news5.icu
  360news6.icu  360news7.icu  360news8.icu  360news11.icu
  

• Wildcard blocks: *-www.cyou (SEO poisoning pattern), qqmusic[0-9].com variants beyond the legitimate qqmusic.com
• IP blocks (Alibaba Cloud HK cluster): 47.86.49.173, 47.242.113.81, 47.57.10.173, 47.86.53.59, 47.239.165.230, 8.217.201.7, 95.173.197.195, 119.28.137.199

Hunting queries

• DNS queries for any subdomain of jackadmin*.cn or jackbank*.cn
• DNS queries for domains matching *-www.cyou
• HTTP/S connections to any Alibaba Cloud HK IP in 47.86.0.0/16, 47.242.0.0/16, 47.57.0.0/16, 47.239.0.0/16 on the known ValleyRAT high ports (1080, 5040, 8852, 22011, 22012)
• Process names or registry entries matching BkavPro version info masquerade, WatchDog / amsdk.sys BYOVD driver load events
• Registry value HKCU\Software\Console\IpDateInfo (ValleyRAT config storage pattern)

Registrant pivots

• Monitor crt.sh for any new TLS certificate issued to a domain containing jackadmin, jackbank, or Luo Quan's email / name
• Watch for new domains registered via Gname.com sharing the ylfwq002@gmail.com address
• Alert on new Chinese-market software typosquat registrations under .cyou following the [brand]-www.cyou pattern

Disclosure

• CNCERT/CC — primary target is Chinese organizations
• HKCERT — infrastructure hosted in Hong Kong
• Alibaba Cloud abuse (intl-abuse@list.alibaba-inc.com) — 47.86.49.173 and the rest of the Alibaba cluster
• Gname.com abuse (complaint@gname.com) — registrar used for bulk malicious registration under the identified email
• Tencent Cloud abuse — 119.28.137.199 (live ValleyRAT C2)

Prior art

• Yesterday's GHOST post on the Silver Fox ValleyRAT Telegram Chinese language pack sample and the CTG Server Hong Kong cluster: silverfox-valleyrat-telegram-chinese-langpack-zpaq-bytedance-ctg
• Silver Fox / APT-Q-27 public reporting from Fortinet, Forescout, Qi'anxin, Nextron Systems, ReliaQuest, The Hacker News (multiple 2025 pieces), and CISA's broader China-nexus cybercrime advisories
• Prior ValleyRAT Gh0stKCP infrastructure reporting covering the 47.x.x.x Alibaba HK allocations and the 95.173.197.195 SEO poisoning megacluster

If you've previously published reporting on Luo Quan's registrant identity or on the jackadmin/jackbank domain cluster specifically, please reply or DM — we'll update and credit.

---

GHOST — Breakglass Intelligence "One indicator. Total infrastructure."