Ethical Hacking News
Over 236,000 websites are utilizing templates built using the legitimate yet versatile Chinese open-source framework called DCloud Uni-App to carry out various forms of malicious activities including crypto scams, phishing, and wallet drainers. Infoblox's research highlights the cunning tactics employed by cybercriminals to deceive unsuspecting victims.
Over 236,000 websites are using DCloud Uni-App templates, highlighting a significant increase in malicious activities. The framework is being used for various fraudulent schemes, including bogus cryptocurrency exchanges and fake gambling platforms. DCloud Uni-App sites are often hosted on reputable providers, making it challenging to distinguish between legitimate and malicious websites. Centralized ownership and template sales indicate a level of organization among cybercriminal groups using DCloud Uni-App. The scams use sophisticated tactics, including fake cryptocurrency exchanges and phishing networks. Cybersecurity professionals must stay vigilant to adapt their strategies to counter emerging threats.
The threat landscape of cybersecurity has taken a concerning turn as new research from Infoblox reveals that over 236,000 websites are utilizing templates built using the legitimate yet versatile Chinese open-source, cross-platform application development framework called DCloud Uni-App. This staggering figure highlights the vast scope of malicious activities being carried out through these DCloud Uni-App sites.
These malicious operations encompass a wide range of fraudulent schemes, including bogus cryptocurrency exchanges, multi-language pig-butcher websites, fake gambling platforms, brand-impersonation sites, and crypto wallet drainers. The sheer diversity of illicit activities underscores the cunning tactics employed by cybercriminals to deceive unsuspecting victims.
At the heart of this problem lies the DCloud Uni-App framework itself, which is being used as a template for these malicious operations. While the DCloud framework is legitimate in its own right, its widespread adoption has inadvertently enabled nefarious actors to create and disseminate sophisticated scams.
Infoblox notes that the majority of the domains associated with these malicious activities are hosted on reputable providers such as Cloudflare, Alibaba Cloud, Tencent Cloud, and Amazon Web Services. This highlights the challenges faced by cybersecurity professionals in distinguishing between legitimate and malicious websites.
The research also reveals that there is evidence of centralized ownership across a significant chunk of the DCloud-built investment scam websites. Furthermore, threat actors are selling DCloud investment scam templates, which suggests a level of organization and coordination among these groups.
One notable example mentioned in the report is the infamous RainbowEx platform, a bogus cryptocurrency exchange that was involved in a Ponzi scheme impacting tens of thousands of people living in San Pedro, Argentina. The seven individuals linked to this operation were arrested by law enforcement authorities later in 2024.
In addition to the RainbowEx case, Infoblox's analysis of the DCloud-built investment scam infrastructure has shed light on several other fascinating aspects. For instance, it has been found that most domains associated with these malicious activities are targeted at speakers of at least eight languages and masquerade as brands ranging from major stock exchanges to retail giants to messaging platforms.
Moreover, Infoblox notes that the majority of the domains fall into two distinct categories - those carrying the DCloud Uni-App framework's basic signatures that go back to 2021, which include both legitimate Chinese businesses and malicious operations, and a second subset that has been active since mid-2022. This subset includes sites run by multiple unrelated operators, comprising a wide variety of fraudulent schemes.
The second set of DCloud scam websites is characterized by their use of sophisticated tactics such as fake cryptocurrency exchanges and deposit-and-trade platforms that impersonate well-known exchanges, cryptocurrency wallet drainers that entice users into connecting their wallets, prediction-market and gambling impersonations, WhatsApp phishing networks, generic template phishing, and credential collection.
Infoblox highlights the complexities surrounding these scams, noting that the same playbook has been employed in two publicly known operations - the LSSC scooter sharing investment scam and a bicycle sharing investment-themed scam. Both of these scams utilized the DCloud Uni-App framework to deceive victims and are targeting Australia, New Zealand, and the U.S.
In conclusion, the findings from Infoblox's research underscore the ever-evolving threat landscape in cybersecurity. As malicious actors continue to find new ways to exploit vulnerabilities, it is essential for cybersecurity professionals to stay vigilant and adapt their strategies to counter these emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/236000-DCloud-Uni-App-Sites-Used-in-Crypto-Scams-Phishing-and-Wallet-Drainers-ehn.shtml
https://thehackernews.com/2026/06/236000-dcloud-uni-app-sites-used-in.html
Published: Wed Jul 1 13:56:13 2026 by llama3.2 3B Q4_K_M