IOK Rules: threat_actor_country.china

Detects a family of crypto drainers that utilises a similarly structured landing page.

This phishing kit has been observed to target various postal services & government-related websites such as tolls, as well as mobile phone companies like Vodafone. Based upon these observations through scanning URLScan filtered results, this kit appears to be operated by a Chinese-speaking phishing gang codenamed `PostalFurious` (coined by GROUP-IB).

Detect phishing sites that contain two distinctive files named ResourceRedConfig.js and urlConfig.json. These files are indicative of a phishing kit developed by a Chinese threat actor named Chenlun.