Detect phishing sites that contain two distinctive files named ResourceRedConfig.js and urlConfig.json.
These files are indicative of a phishing kit developed by a Chinese threat actor named Chenlun.
title: Chenlun Phishing Kit 88426540
description: |
Detect phishing sites that contain two distinctive
files named ResourceRedConfig.js and urlConfig.json.
These files are indicative of a phishing kit developed
by a Chinese threat actor named Chenlun.
references:
- https://urlscan.io/result/88426540-8f66-4fe2-b8f2-526e7025ace7
- https://urlscan.io/result/05189f5c-f969-45da-a6fd-d3fec490f0f7
- https://urlscan.io/result/d4886a4c-114a-4a0a-9b07-614fddc6171f
- https://www.domaintools.com/resources/blog/merry-phishmas-beware-us-postal-service-phishing-during-the-holidays/
- https://g0njxa.medium.com/chenlun-a-worldwide-phishing-carding-campaigns-provider-a45c4fed6d1b
detection:
configScript:
requests|contains: 'ResourceRedConfig.js'
urlConfig:
requests|endswith: '/ResourceConfig/urlConfig.json'
condition: configScript and urlConfig
tags:
- kit
- threat_actor_country.china
- threat_actor.chenlun
- target_country.global