Skip to content
.ca
sign in
5 minhigh

Banners, Bots and Butchers: An Automated Long Con Targeting Japan, Asia, and Beyond

A hybrid investment scam campaign is targeting users in Asia and globally by combining malvertising with pig butchering tactics. Threat actors use RDGA-generated domains and AI chatbots on popular messaging apps to automate social engineering, impersonate financial experts, and extract funds from victims.

Conf:highAnalyzed:2026-03-19reports

Authors: Infoblox Threat Intel

ActorsShared Enablement Layer / Scam-as-a-Service Operators
RDGAAI BotsMalvertisingPig ButcheringInvestment Scam

Source:Infoblox

IOCs · 5
  • domain
    aopmbxeqax[[.]]clickRDGA domain hosting a Japanese scam campaign abusing the likeness of Takaaki Mitsuhashi.
  • domain
    fgynfgi[[.]]buzzRDGA domain hosting a Japanese AI investing scam campaign.
  • domain
    googlenames[.]topLookalike RDGA domain hosting a Japanese AI investing scam campaign.
  • domain
    safesecurea[[.]]sbsDomain hosting Japanese and Chinese scam campaigns abusing the likeness of Nvidia CEO Jen-hsun Huang.
  • domain
    youtubefind[[.]]topLure domain hosting scam campaigns abusing the likeness of various individuals.

Key Takeaways

  • Campaigns combine malvertising for victim acquisition with pig butchering tactics via messaging apps.
  • Threat actors utilize Registered Domain Generation Algorithms (RDGAs) to register over 23,000 domains.
  • AI bots are heavily used to automate 24/7 engagement in messaging apps like LINE and WhatsApp.
  • Scams impersonate well-known financial experts to build trust and lure victims into fake investments.
  • Victims are pressured into making investments and ultimately asked for a fake 'release fee' before scammers vanish.

Affected Systems

  • Messaging Applications (LINE, WhatsApp, KakaoTalk)
  • Social Media Platforms (Meta, Instagram)

Attack Chain

Victims are initially targeted through malvertising on social media platforms featuring impersonated financial experts. Clicking the ad redirects them to an RDGA-generated lure website, which prompts them to join a messaging app group via a link or QR code. Once in the messaging app, AI bots impersonating experts and other 'students' engage the victim 24/7 to build trust. The victim is convinced to transfer funds for fake investments and is ultimately scammed out of their money, including a final fake 'release fee'.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided in the article, but a GitHub repository is mentioned for additional indicators.

Detection Engineering Assessment

EDR Visibility: None — The attack relies entirely on social engineering, web browsing, and legitimate messaging apps (often on personal mobile devices), which EDR does not monitor. Network Visibility: Medium — DNS queries to newly registered RDGA domains can be detected, but the actual chat traffic is encrypted within legitimate messaging apps. Detection Difficulty: Hard — The infrastructure rotates rapidly using RDGAs, and the social engineering occurs on legitimate, encrypted third-party platforms.

Required Log Sources

  • DNS Logs
  • Web Proxy Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for high volumes of DNS queries to newly registered domains in specific TLDs (.sbs, .icu, .top, .click, .buzz) originating from user endpoints.DNS LogsDeliveryMedium
Identify web traffic referring from major social media platforms (Meta, Instagram) directly to newly registered, low-reputation domains.Web Proxy LogsDeliveryMedium

Control Gaps

  • Endpoint visibility on personal mobile devices
  • Inspection of encrypted messaging app traffic

Key Behavioral Indicators

  • DNS queries to RDGA-patterned domains
  • Unexpected redirects from social media to newly registered domains

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block the provided IOC domains at the DNS and web proxy levels.

Infrastructure Hardening

  • Implement DNS filtering to block or sinkhole newly registered domains (NRDs) and suspicious TLDs.

User Protection

  • Deploy web filtering to prevent access to known malvertising and scam lure sites.

Security Awareness

  • Educate users on the risks of social media investment ads, the use of AI bots in chats, and the mechanics of pig butchering scams.

MITRE ATT&CK Mapping

  • T1583.001 - Acquire Infrastructure: Domains
  • T1566.002 - Phishing: Spearphishing Link
  • T1204.001 - User Execution: Malicious Link

Additional IOCs

  • Domains:
    • 7973268[[.]]top - Domain hosted a Korean scam campaign
    • 8jz2x[[.]]icu - Domain hosted an English scam campaign
    • btedsrr[[.]]icu - Domain hosted a Korean scam campaign abusing the likeness of Seunghwan Yeom
    • fhysgth[[.]]sbs - Domain hosted a Japanese scam campaign abusing the likeness of Takaaki Mitsuhashi
    • ghmfg[[.]]sbs - Domain hosted an English scam campaign abusing the likeness of Andre Iguodala
    • gnlaoprs[[.]]click - Domain hosted a Japanese scam campaign abusing the likeness of Kenichi Ohmae
    • hrdfsetsdf[[.]]sbs - Domain hosted a Japanese AI investing scam campaign
    • koaliuehudrt[[.]]sbs - Domain hosted a Japanese scam campaign abusing the likeness of Yusaku Maezawa
    • kpusnenvcg[[.]]buzz - Domain hosted a Japanese AI investing scam campaign
    • lgsmjhsb[[.]]buzz - Domain hosted a Japanese AI investing scam campaign
    • oiajdng[[.]]click - Domain hosted a Japanese scam campaign abusing the likeness of Ken Honda
    • oslddjb[[.]]buzz - Domain hosted a Japanese AI investing scam campaign
    • r2th4[[.]]icu - Domain hosted a Japanese AI investing scam campaign
    • stock-analysis06[[.]]buzz - Domain hosted an English scam campaign
    • ttrvsgg[[.]]icu - Domain hosted a Korean scam campaign abusing the likeness of a Healing Traveler YouTuber
    • ttrvsii[[.]]icu - Domain hosted a Korean scam campaign abusing the likeness of a Healing Traveler YouTuber
    • ttrvsrr[[.]]icu - Domain hosted a Korean scam campaign abusing the likeness of a Healing Traveler YouTuber
    • vbmuakf[[.]]click - Domain hosted a Japanese scam campaign abusing the likeness of Ken Honda
    • xhlch[[.]]top - Domain hosted a Japanese AI investing scam campaign
    • xqeha[[.]]icu - Domain hosted a Korean scam campaign abusing the likeness of Seon Dae-in TV YouTuber
    • ydfshans[[.]]click - Domain hosted a Japanese scam campaign abusing the likeness of Takaaki Mitsuhashi
    • yhdakgjd[[.]]top - Domain hosted a Japanese scam campaign abusing the likeness of Ken Honda

Related