From San Pedro to Salinas: How a Chinese Framework “DCloud Uni-App” Powers a Global Scam Economy
Infoblox Threat Intel has identified over 236,000 scam domains built on the Chinese open-source DCloud Uni-App framework, constituting a massive decentralized scam economy spanning fake crypto exchanges, wallet drainers, gambling sites, and investment frauds. The framework's default build fingerprints enable large-scale identification of malicious sites, though sophisticated operators strip these signatures and migrate to bulletproof hosting (primarily AS152194 CTG Server). Active scams like Yuechi Sharing Technology Ltd. demonstrate evolution toward weaponizing genuine government registrations (FinCEN MSB, Hong Kong Companies Registry) as legitimacy props. Enterprise exposure is substantial, with 985 customers generating 5M+ DNS queries to scam infrastructure, primarily through employee personal device usage.
- domainallegroau[.]ccBrand-impersonation scam domain targeting Allegro marketplace (Australia variant)
- domainallegroau[.]comBrand-impersonation scam domain targeting Allegro marketplace (Australia variant)
- domainallegro-stroe[.]ccBrand-impersonation scam domain targeting Allegro marketplace
- domainallegrostroe[.]ccBrand-impersonation scam domain targeting Allegro marketplace
- domainallegro-stroe[.]comBrand-impersonation scam domain targeting Allegro marketplace
- domainallegrostroe[.]comBrand-impersonation scam domain targeting Allegro marketplace
- domainallegro-stroe[.]cyouBrand-impersonation scam domain targeting Allegro marketplace
- domainallegrostroe[.]cyouBrand-impersonation scam domain targeting Allegro marketplace
- domainallegro-stroe[.]shopBrand-impersonation scam domain targeting Allegro marketplace
- domainallegrostroe[.]shopBrand-impersonation scam domain targeting Allegro marketplace
- domainaqy[.]dot02ig[.]cfdYuechi customer service chat backend; shared technical setup with XAEL-AI scam sites indicating centralized operator
- domainbepviews[.]comDCloud-built crypto wallet drainer impersonating BNB Chain verification flow; initiates wallet drain upon 'Verify Asset' button click
- domainclintile[.]comFake crypto exchange / passive income investment platform built on DCloud
- domaincorreoargentino-comarr[.]topOther DCloud-built scam domain
- domaindatashareclub[.]comFake crypto exchange / passive income investment platform built on DCloud
- domaindeepseekpg[.]betPrediction-market and gambling impersonation scam built on DCloud
- domainenergy5[.]cyouOther DCloud-built scam domain
- domainfaq-whatsapp-center[.]comDCloud-built WhatsApp phishing template presenting fake WhatsApp Help Center verification flow
- domainforwarsprite[.]comOther DCloud-built scam domain
- domainfutureblockchain[.]netFake crypto exchange / passive income investment platform built on DCloud
- domaing3user[.]comOther DCloud-built scam domain
- domainhkxiu[.]comDCloud-built site impersonating Hong Kong Stock Exchange as 'Hong Kong Gold Exchange' (HKGX)
- domaininetcontrol[.]netOther DCloud-built scam domain
- domainjp7[.]comPrediction-market and gambling impersonation scam built on DCloud
- domainkirbycoco[.]ccFake crypto exchange / passive income investment platform built on DCloud
- domaink-usdt[.]comOther DCloud-built scam domain
- domainlightacer[.]comLightning Exchange (LNC/Lightning Coin) trading platform associated with LSSC scam
- domainlsscapp[.]comLSSC Android app landing page; decompiled manifest confirmed DCloud Uni-App framework usage (package uni.UNI37480E2, io.DCloud.application.DCloudApplication)
- domainlssc-canada[.]caLSSC scam domain targeting Canadian investors; hosted LNC Lightning Coin registration tutorial
- domainlssc[.]ltdLSSC investment scam domain confirmed by BBB and state AG offices
- domainlsscol[.]comLSSC investment scam login page; most accessed DCloud-fingerprinted scam site with 50+ enterprise customers reaching it; now offline
- domainm0vrsq6[.]topOther DCloud-built scam domain
- domainmango-cleopatrapg[.]comDCloud-built Portuguese-language 'scambling' (scam gambling) site targeting Portuguese and Spanish speakers
- domainmyctgs[.]comCTG Server Limited (AS152194) bulletproof hosting provider domain; dominant BPH provider for evasive-tier DCloud scam sites, listed on Spamhaus DROP list
- domainmypal[.]proOther DCloud-built scam domain
- domainnasdaqpro[.]topFake crypto exchange impersonating Nasdaq, built on DCloud framework
- domainpolymk[.]comDCloud-built clone of Polymarket prediction-market platform
- domainrainbowex[.]ccRainbowEx fake crypto exchange that defrauded ~20% of San Pedro, Argentina population; primary DCloud-built scam site that triggered public awareness of the framework's abuse
- domainusdtflow[.]netOther DCloud-built scam domain
- domainverify-what[.]comWhatsApp and messaging-platform phishing domain built on DCloud
- domainwhats-zea[.]vipWhatsApp-themed phishing domain impersonating WhatsApp Security Help Center
- domainwhats-zef[.]vipWhatsApp-themed phishing domain impersonating WhatsApp Security Help Center
- domainwhats-zei[.]vipWhatsApp-themed phishing domain impersonating WhatsApp Security Help Center
- domainwhats-zen[.]vipWhatsApp-themed phishing domain impersonating WhatsApp Security Help Center
- domainwhats-zrs[.]vipWhatsApp-themed phishing domain impersonating WhatsApp Security Help Center
- domainwhats-zus[.]vipWhatsApp-themed phishing domain impersonating WhatsApp Security Help Center
- domainwhats-zwp[.]vipWhatsApp-themed phishing domain impersonating WhatsApp Security Help Center
- domainxaai3xj[.]comXAEL-AI investment scam site built on DCloud; shares identical chat backend and registration flow with Yuechi, contains 29-language localization pack as operator signature
- domainxaaitbb[.]comSecond XAEL-AI investment scam domain; nearly identical code to xaai3xj[.]com, shares operator fingerprints including 29-language localization pack
- domainys904[.]topYuechi satellite domain hosting a defensive 'anti-fraud notice' page designed to project legitimacy for the YST investment scam
- domainystl03106[.]topActive Yuechi Sharing Technology Ltd. (YST) recruitment platform targeting Australia, New Zealand, and U.S. with bicycle-sharing investment scam; built on DCloud framework
Detection / Hunteropenrouter
What Happened
A widely used Chinese software tool called DCloud Uni-App has been adopted by scammers to quickly build thousands of fake websites that look like real cryptocurrency exchanges, gambling platforms, and investment opportunities. Researchers found over 236,000 of these scam websites, which have defrauded people around the world — from a small town in Argentina where 20% of residents lost money, to American investors in a fake scooter-sharing company, to people in Australia and New Zealand being recruited into a fake bicycle-sharing scheme. The scammers are getting more sophisticated: one current operation even registered with the U.S. Treasury Department to appear legitimate. Anyone who is offered a chance to invest through an app or website that promises unusually high returns, requires an invitation code, or pressures daily engagement should be extremely cautious and verify the opportunity through independent channels before sending any money.
Key Takeaways
- Over 236,000 distinct second-level domains built on the DCloud Uni-App framework have been identified as scam infrastructure since mid-2022, spanning fake crypto exchanges, wallet drainers, gambling sites, WhatsApp phishing, and investment scams.
- The DCloud Uni-App framework leaves recognizable build fingerprints (package naming, application classes, shared resources) that defenders can use to identify scam sites, though sophisticated operators strip these fingerprints and shift to bulletproof hosting at roughly double the rate of vanilla operators.
- AS152194 CTG Server Limited (myctgs[.]com) is the dominant bulletproof hosting provider for the evasive tier of DCloud scam sites, with 19 of the top 20 BPH-hosted SLDs running on it.
- The currently-active Yuechi Sharing Technology Ltd. (YST) scam uses genuine FinCEN MSB and Hong Kong company registrations as legitimacy props, representing an evolution in scam operators weaponizing government registration processes.
- Enterprise exposure is significant: approximately 985 distinct enterprise customers across 25 industry verticals generated over 5 million DNS queries to DCloud-built investment scam infrastructure, driven by employees on personal devices accessing consumer-targeted scams.
Affected Systems
- Mobile devices (Android/iOS) used by individual users and employees
- Enterprise networks with permissive BYOD policies
- Consumer-facing industries with high mobile device usage (Food & Beverage, Banking, Government, Education, Financial Services)
Attack Chain
Scam operators acquire DCloud Uni-App investment scam templates (sold privately between operators) and deploy them across mainstream hosting providers (Cloudflare, Alibaba, Tencent, AWS) or bulletproof hosting (primarily AS152194 CTG Server). Victims are recruited via social media, WhatsApp, Telegram, or in-person networks using invitation-code-gated registration flows. Once registered, victims deposit funds via stablecoin transfers, Zelle, or Cash App, and are shown fictional trading activity or passive income accumulation. When withdrawal attempts fail, victims are funneled to off-platform customer service chats that redirect them to their 'recommender teacher' (upline recruiter). More sophisticated operators strip DCloud framework fingerprints and use BPH providers to resist takedown, while also obtaining genuine government registrations (FinCEN MSB, HK Companies Registry) to project legitimacy.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Infoblox GitHub repository (indicators list only)
The article provides a representative list of scam domain IOCs and references an open GitHub repository containing the indicator list. No YARA, Sigma, Snort, Suricata, KQL, SPL, or EQL detection rules are included. DNS-layer blocking is recommended as the primary defensive control.
Detection Engineering Assessment
EDR Visibility: Low — These are consumer-facing web scams accessed via mobile browsers and apps, not traditional endpoint malware. EDR would only see browser or app process activity, not the scam itself. The DCloud Android app manifest could be detected if the app is installed, but the primary vector is web browsing. Network Visibility: High — DNS query analysis is the primary detection vector. Infoblox identified 5M+ enterprise DNS queries to scam domains across 985 customers. DNS-layer monitoring and blocking is well-suited to this threat given the domain-based nature of the scam infrastructure. Detection Difficulty: Moderate — DNS-level blocking of known scam domains is straightforward, but the volume (236K+ SLDs) and rapid churn require automated fingerprinting. Evasive operators who strip DCloud signatures and use BPH require additional scam-specific fingerprints. The 94% legitimate hosting rate means IP/ASN-based blocking is not viable for the majority of sites.
Required Log Sources
- DNS query logs (passive DNS, recursive resolver logs)
- Proxy/web gateway logs for URL categorization
- EDR process telemetry for DCloud Android app detection (io.DCloud.application.DCloudApplication, uni.UNI* package names)
- Network flow logs for ASN correlation against Spamhaus DROP list
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for DNS queries to domains matching DCloud framework fingerprint patterns combined with scam-specific registration flow indicators (invitation code, crypto deposit) to identify previously unknown scam domains in your environment. | DNS resolver logs, passive DNS, web proxy logs | Infrastructure acquisition / victim engagement | Medium — DCloud is a legitimate framework used by many Chinese businesses; framework fingerprint alone is insufficient without scam-specific overlays |
| If you have visibility into DNS queries to AS152194 (CTG Server Limited) IP space, consider investigating whether any enterprise devices are resolving domains hosted there, as this ASN is strongly associated with Chinese-affiliated scam infrastructure. | DNS response IP enrichment, network flow logs, ASN correlation against Spamhaus DROP list | Infrastructure hosting | Low — CTG Server is on the Spamhaus DROP list and has minimal legitimate traffic |
| Consider hunting for Android devices with applications containing DCloud Uni-App package naming conventions (uni.UNI*, io.DCloud.application.DCloudApplication) that are not from known legitimate Chinese app stores, as these may be sideloaded scam apps. | EDR mobile device management logs, Android package inventory, app manifest analysis | Payload delivery / app installation | Medium — DCloud is used by many legitimate Chinese apps; correlation with scam-specific indicators is needed |
| Consider monitoring for enterprise DNS queries to domains with registration flows requiring invitation codes combined with crypto/stablecoin deposit functionality, as this pattern is characteristic of the DCloud investment scam template. | Web proxy logs with content inspection, DNS logs correlated with HTTP response analysis | Victim engagement / financial fraud | Low-Medium — invitation-code-gated crypto platforms are uncommon in legitimate enterprise traffic |
| If you have web proxy or DNS logs, consider hunting for low-volume, one-off queries from individual employee devices to domains matching the scam domain patterns, as the threat manifests as many small-volume contacts rather than concentrated traffic. | DNS logs, proxy logs with user/device attribution | Victim engagement | Low — the per-user volume is small but the domain patterns are distinctive |
Control Gaps
- Traditional enterprise phishing training focused on business email compromise will not address consumer-fraud recruitment via WhatsApp, Telegram, social media, churches, and community networks
- IP-based blocking is ineffective as 94% of scam domains resolve to legitimate hyperscaler ASNs (Cloudflare, Alibaba, Tencent, AWS)
- Government registration verification (FinCEN MSB, HK Companies Registry) provides false legitimacy signals that bypass due diligence checks
- BYOD policies that permit personal device usage on corporate networks create telemetry visibility but no blocking capability for consumer-targeted scams
- Brand-impersonation detection focused on enterprise brands may miss impersonation of consumer brands (Allegro, WhatsApp, Polymarket, BNB Chain) targeting employees as consumers
Key Behavioral Indicators
- Android app manifests containing package names matching pattern uni.UNI* and application class io.DCloud.application.DCloudApplication
- Android app manifests containing activity classes io.DCloud.WebviewActivity, io.DCloud.WebAppActivity, io.DCloud.ProcessMediator
- Web pages with six-field registration forms (phone, password, confirm password, picture CAPTCHA, SMS verification, invitation code) consistent with DCloud investment scam template
- Off-platform customer service chat redirection with script 'contact your recommender teacher' indicating pyramid recruitment structure
- 29-language localization packs including unusual diaspora languages (Haitian Creole, Kinyarwanda, Albanian, Uzbek) as operator signature for XAEL-AI/Yuechi cluster
- DNS queries to domains on AS152194 (CTG Server) indicating potential evasive-tier scam infrastructure
- Low-volume, one-off DNS queries from individual employee devices to newly-registered domains with DCloud framework fingerprints
False Positive Assessment
- Medium — The DCloud Uni-App framework is legitimate and widely used by thousands of Chinese businesses. Framework fingerprints alone will produce false positives. Scam-specific fingerprints (invitation-code registration, crypto deposit flows, brand impersonation) must be combined with framework detection to reduce false positives. ASN-based blocking of CTG Server (AS152194) has low false positive risk given its Spamhaus DROP listing.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the priority IOC domains listed in this report at your DNS resolver or web proxy, particularly the currently-active Yuechi (ystl03106[.]top, ys904[.]top) and XAEL-AI (xaai3xj[.]com, xaaitbb[.]com) domains.
- Consider querying your DNS logs or SIEM for historical hits against the listed IOC domains to identify employees who may have already been targeted, and if applicable, route findings to your fraud awareness or employee assistance teams.
- If your organization has mobile device management, consider scanning managed Android devices for apps with DCloud Uni-App package naming conventions (uni.UNI*, io.DCloud.*) that were sideloaded from non-official sources.
- Evaluate whether your DNS filtering solution can ingest the Infoblox GitHub IOC list for ongoing automated blocking of DCloud scam domains.
Infrastructure Hardening
- Consider implementing DNS-layer blocking for domains resolving to AS152194 (CTG Server Limited) IP space, as this ASN is on the Spamhaus DROP list and is strongly associated with Chinese-affiliated scam infrastructure.
- If supported by your web proxy, consider enabling category-based blocking for newly-registered domains combined with crypto/trading/gambling content categories, as scam domains are short-lived and rapidly churned.
- Evaluate whether your SIEM can correlate low-volume DNS queries from individual devices against threat intelligence feeds to surface consumer-scam exposure patterns that traditional enterprise-focused alerts would miss.
User Protection
- Consider expanding security awareness training beyond enterprise phishing to cover consumer-fraud patterns including pyramid investment schemes, fake crypto exchanges, and 'passive income' recruitment via social media and messaging apps.
- If applicable to your workforce demographics, consider providing multilingual awareness materials covering Mandarin, Spanish, Portuguese, and English scam variants, as these are the dominant languages in the DCloud scam ecosystem.
- Consider educating employees that government registrations (FinCEN MSB, Hong Kong Companies Registry) are filing requirements, not endorsements, and that their presence in an investment pitch may itself be a red flag.
Security Awareness
- Consider incorporating awareness content about invitation-code-gated investment platforms, as this registration pattern is a hallmark of DCloud-built investment scams designed to enforce pyramid recruitment.
- Where supported by your awareness program, consider training employees to recognize the 'deposit-and-trade' scam pattern: small initial deposit, fictional daily returns displayed in-app, and withdrawal blocks followed by requests for additional 'verification fees'.
- Consider adding consumer-fraud awareness modules covering recruitment through community channels (churches, WhatsApp groups, civic organizations) that conventional enterprise phishing training does not address.
MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.004 - Spearphishing via Service
- T1656 - Impersonation
- T1584 - Compromise Infrastructure
- T1583 - Acquire Infrastructure
- T1204 - User Execution
Additional IOCs
- Domains:
nasdaqpro[[.]]top- Fake crypto exchange impersonating Nasdaq, built on DCloud frameworkfutureblockchain[[.]]net- Fake crypto exchange / passive income investment platform built on DCloudkirbycoco[[.]]cc- Fake crypto exchange / passive income investment platform built on DCloudclintile[[.]]com- Fake crypto exchange / passive income investment platform built on DClouddatashareclub[[.]]com- Fake crypto exchange / passive income investment platform built on DCloudlssc-canada[[.]]ca- LSSC scam domain targeting Canadian investors; hosted LNC Lightning Coin registration tutoriallightacer[[.]]com- Lightning Exchange (LNC/Lightning Coin) trading platform associated with LSSC scamlssc[[.]]ltd- LSSC investment scam domain confirmed by BBB and state AG officespolymk[[.]]com- DCloud-built clone of Polymarket prediction-market platformmango-cleopatrapg[[.]]com- DCloud-built Portuguese-language 'scambling' (scam gambling) site targeting Portuguese and Spanish speakersdeepseekpg[[.]]bet- Prediction-market and gambling impersonation scam built on DCloudjp7[[.]]com- Prediction-market and gambling impersonation scam built on DCloudwhats-zwp[[.]]vip- WhatsApp-themed phishing domain impersonating WhatsApp Security Help Centerwhats-zrs[[.]]vip- WhatsApp-themed phishing domain impersonating WhatsApp Security Help Centerwhats-zef[[.]]vip- WhatsApp-themed phishing domain impersonating WhatsApp Security Help Centerwhats-zea[[.]]vip- WhatsApp-themed phishing domain impersonating WhatsApp Security Help Centerwhats-zus[[.]]vip- WhatsApp-themed phishing domain impersonating WhatsApp Security Help Centerwhats-zei[[.]]vip- WhatsApp-themed phishing domain impersonating WhatsApp Security Help Centerwhats-zen[[.]]vip- WhatsApp-themed phishing domain impersonating WhatsApp Security Help Centerfaq-whatsapp-center[[.]]com- DCloud-built WhatsApp phishing template presenting fake WhatsApp Help Center verification flowverify-what[[.]]com- WhatsApp and messaging-platform phishing domain built on DCloudhkxiu[[.]]com- DCloud-built site impersonating Hong Kong Stock Exchange as 'Hong Kong Gold Exchange' (HKGX)allegro-stroe[[.]]com- Brand-impersonation scam domain targeting Allegro marketplaceallegro-stroe[[.]]shop- Brand-impersonation scam domain targeting Allegro marketplaceallegro-stroe[[.]]cc- Brand-impersonation scam domain targeting Allegro marketplaceallegro-stroe[[.]]cyou- Brand-impersonation scam domain targeting Allegro marketplaceallegrostroe[[.]]com- Brand-impersonation scam domain targeting Allegro marketplaceallegrostroe[[.]]cc- Brand-impersonation scam domain targeting Allegro marketplaceallegrostroe[[.]]shop- Brand-impersonation scam domain targeting Allegro marketplaceallegrostroe[[.]]cyou- Brand-impersonation scam domain targeting Allegro marketplaceallegroau[[.]]com- Brand-impersonation scam domain targeting Allegro marketplace (Australia variant)allegroau[[.]]cc- Brand-impersonation scam domain targeting Allegro marketplace (Australia variant)correoargentino-comarr[[.]]top- Other DCloud-built scam domaink-usdt[[.]]com- Other DCloud-built scam domainusdtflow[[.]]net- Other DCloud-built scam domainenergy5[[.]]cyou- Other DCloud-built scam domainforwarsprite[[.]]com- Other DCloud-built scam domaing3user[[.]]com- Other DCloud-built scam domainmypal[[.]]pro- Other DCloud-built scam domaininetcontrol[[.]]net- Other DCloud-built scam domainm0vrsq6[[.]]top- Other DCloud-built scam domain
- Other:
+1 7808070747- Phone number displayed on LSSC Canada LNC Lightning Coin registration tutorial, used for victim onboardingAS152194- CTG Server Limited autonomous system number; dominant bulletproof hosting provider for evasive-tier DCloud scam sites, on Spamhaus DROP listFinCEN MSB Registration No. 31000300306222- Genuine FinCEN Money Services Business registration obtained by Yuechi Sharing Technology Ltd. operators as a legitimacy prop; listed address 125 Deansgate, Manchester, M3 2BY, UKHK CR No. 77975280- Hong Kong Certificate of Incorporation for Yuechi Shared Technology Co. Ltd. (躍馳共享科技有限公司), issued 8 April 2025, used as legitimacy prop