WEBINAR, June 9: Beyond GeoIP - Stopping Fake Hires | REGISTER TODAY

Numerous Western Companies May Still Need to Ban FUNNULL Admin Accounts to Comply with U.S. Treasury Sanctions

/in /by

Key Findings

  • Silent Push Threat Analysts have been mapping the scope of the FUNNULL content delivery network (CDN) and its use of Infrastructure Laundering to hide its infrastructure among major Western cloud providers, such as Amazon and Microsoft, burdening defenders to remain constantly alert to respond and block its accounts. We labeled the threat actor network, “Triad Nexus.”
  • FUNNULL CDN is a primary source for hosting fraudulent websites used against Americans, and the Treasury Department and FBI issued joint advisories on FUNNULL in May 2025, announcing the network and its administrator, Lizhi Liu, were added to the U.S. sanctions list due to their support of scam investment sites.
  • We confirmed FUNNULL admin Lizhi Liu (also known as “Steve/Steven” Liu) maintains accounts on many major Western services. We’re providing this public report on potential accounts used by Liu in our support of U.S. organizations that may need to ban these accounts to ensure compliance with U.S. Treasury Sanctions frameworks.
  • During the persona mapping process, we also discovered anti-American and anti-Japanese content written by Liu and have included a brief analysis from his blog.
  • Our team notes that Liu is still actively using his Facebook account to update a group he manages about Ganzhou, China, making posts and content changes through June 2025, weeks after the sanctions were issued.
  • Brian Krebs (Krebs on Security) published this research in collaboration with Silent Push in his piece “Big Tech’s Mixed Response to U.S. Treasury Sanctions,” confirming that enterprise companies are responding to the U.S. Treasury sanctions in unique ways, with not all companies immediately banning the accounts or taking significant actions.

Executive Summary

Silent Push has been tracking “Funnull Technology Inc.” (funnull[.]com) and the malicious websites hosted on this CDN since 2022. Our team has written extensive private and public reports, including the October 2024 report, “Unveiling Triad Nexus: How FUNNULL CDN Facilitates Widespread Cyber Threats,” and its January 2025 follow-up, “Infrastructure Laundering: Silent Push Exposes Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech.”

In May 2025, when the Treasury and FBI announced U.S. sanctions against FUNNULL and its administrator, Lizhi Liu, we were pleased to see renewed attention on this ongoing threat from China.

As our data showed, the FUNNULL CDN was behind a huge portion of investment scam websites, we were unsurprised to see the Treasury Department announce, “Funnull is linked to the majority of virtual currency investment scam websites reported to the FBI.” The same announcement included a disclosure that FUNNULL CDN-hosted websites have caused over $200 million in losses to U.S. victims, with an average loss of $150,000 per individual from the finance schemes hosted on these websites. As a result, the FBI has ongoing efforts to connect with victims who the FUNNULL-hosted campaigns have impacted.

Chainalysis and other crypto tracking companies have since confirmed that FUNNULL had direct transactions with wallets connected to Huione Pay, the illicit marketplace and money laundering ecosystem recently flagged by FinCEN as part of a proposed rulemaking effort to classify the network as a “financial institution of primary money laundering concern,” to sever its connections with the U.S. financial system.

After the May 2025 U.S. Treasury OFAC Sanctions were issued against FUNNULL and its admin Liu, additional details were made public in the Specially Designated Nationals List Sanctions Update about Liu’s other names and usernames he has across the internet.

Silent Push Threat Analysts have taken those usernames and further pivoted into Liu’s older personas, public blogs, and websites (listed throughout this report as identified), to reveal Western services and infrastructure that have yet to ban his accounts.

Google appears to be one of the few companies that have tracked Liu’s accounts and taken action against them. Liu’s YouTube channel (youtube[.]com/@nicelizhi) was recently taken down with no indication that Liu did it himself, based on his other live accounts and websites.

The following list of enterprise software companies, publishers, and social networks were found still hosting accounts owned by Lizhi Liu:

  • X/Twitter
  • GitHub / Microsoft
  • LinkedIn / Microsoft
  • Facebook / Meta
  • Google Code / Google Groups / Alphabet
  • Medium
  • PayPal
  • WordPress
  • HuggingFace
  • Gravatar / WordPress
  • Vercel
  • Deviant Art / Wix
  • Flickr / SmugMug
  • About Me / Vendasta
  • Tawk[.]to

Table of Contents

Sign Up for a Free Silent Push Community Edition Account

Register now for our free Community Edition to use all the tools and queries highlighted in this blog.

Sign Up Here

Background on Funnull Admin Lizhi Liu

Lizhi Liu, also known as Steve Liu (additional personas explained below), is a 41-year-old male from China who has been an active web developer with a visible presence since at least 2010. Liu is the administrator of the FUNNULL CDN and appears to be both the lead developer and owner. Liu is also a father, has a small family, and has a long-term interest in fashion and photography.

An expert developer, Liu has seemingly been the brains behind this CDN, which profits from “Infrastructure Laundering” techniques that consistently abuse Western cloud providers to illicitly acquire accounts and quickly map IPs into the FUNNULL infrastructure, essentially allowing threat actors to host their websites for free, primarily on Western providers.

Silent Push Threat Analysts believe it to be doubtful that Liu is the actual mastermind behind many of the investment schemes and money laundering networks hosted on FUNNULL. We dubbed this network “Triad Nexus,” since we believe various unnamed criminals are profiting from the scheme.

Historically a strong advocate of open-source software, Liu has written extensively on the topic, published open-source code repositories, and been actively engaged in a range of developer forums and communities.

Liu also has written statements that could be considered “anti-American” and “anti-Japanese” on his blogs, although he rarely wrote about politics, and these were outlier comments.

Silent Push threat analysts believe Liu is now attempting to conceal the infrastructure that FUNNULL hosts in the wake of the U.S. sanctions.

The remainder of this report contains a persona profile of FUNNULL admin Liu, along with links to some of his still-active profiles and websites. Many are hosted on Western providers who likely need to ban the accounts to comply with U.S. Treasury sanctions against him.

FUNNULL Admin Lizhi Liu

Names

  • Lizhi Liu (Chinese Simplified: 刘理志)
  • Steve Liu
  • Steven Liu
  • Steven Lizhi
  • Jane Liu

Companies Associated with

  • FUNNULL Technology Inc.
  • Shanghai Zhiyancheng (上海志彦成) aka “Shanghai Zhiyan” aka “SHZY Inc.”

Location

  • No. 2 Shaguo Group, Yangmei Village, Huangjin Ridge, Zhanggong District, Ganzhou, Jiangxi, China
  • Lianhang Road, No. 1698, 5 Building, Pujiang Town, Minxing District, Shanghai, China; Lulian Road, 100 Alley, No. 5, Room 1202, Pujiang Town, Minxing District, Shanghai, China
  • Puxinggong Road, 9688, Alley No. 5, Haiwan Town, Fengxian District, Shanghai, China

DOB

  • November 13, 1984

Gender

  • Male

China National ID Number

  • 36070219841113373X

Phone Numbers

  • 13524084051 (old)
  • +86 18217614046 (old)

Usernames

  • NICE LIZHI
  • NICELIZHI
  • XXL4
  • kongfaceworld
  • cdndns
  • zylinkus
  • phpedu
  • cnphp
  • modelsnetcn
  • chinawolfs
  • shanghaiopensource
  • QQ: 3139319
  • bmchaoshi (Used on his blog cnphp.wordpress[.]com but seemingly no where else)

Emails

  • nice.lizhi@gmail[.]com
  • lizhi.liu@ymail[.]com
  • lizhi.liu@foxmail[.]com
  • chinawolfs@hotmail[.]com
  • chinawolfs@yahoo[.]com
  • chinawolfs@aol[.]com
  • steven@zylinkus[.]com
  • steve@models[.]net[.]cn
  • magentocommerce[.]com@gmail[.]com
  • zylinkus[.]com@gmail[.]com
  • liulizhi@liulizhi[.]info

GitHub and Public Repos

  • github[.]com/xxl4
  • github[.]com/nicelizhi
  • github[.]com/shanghaiopensource
  • github[.]com/zylinkus
  • github[.]com/NexaMerchant – NexaMerchant is an e-commerce company owned by Liu
    • NexaMerchant further promoted on models[.]net[.]cn (models[.]net[.]cn/nexa-merchant)
  • packagist[.]org/packages/nicelizhi/
  • pkg.go[.]dev/github.com/nicelizhi/easy-admin
  • uihub.licode[.]ai/directory/laravel-admin

Websites

  • zylinkus[.]com
  • models[.]net[.]cn
  • cnphp.wordpress[.]com
  • cnblogs[.]com/cnphp
  • mote001[.]com
  • nexa-merchant[.]vercel[.]app
  • liulizhi[.]info (Doesn’t appear to be currently owned by Liu) (Wayback Machine of the old blog shows it was active starting in 2010)

Social Profiles

  • medium[.]com/@cdndns
  • x[.]com/kongfaceworld
  • x[.]com/phpedu
  • youtube[.]com/@nicelizhi
  • buymeacoffee[.]com/nicelizhi
  • paypal[.]com/paypalme/nicelizhi
  • linkedin[.]com/in/zylinkus
  • linkedin[.]com/in/liulizhi
  • facebook[.]com/shgnahaizhiyan
  • facebook[.]com/webdesignshanghai
  • facebook[.]com/lizhi.liu
  • facebook[.]com/enjoyganzhou/
  • huggingface[.]co/xxl4
  • weibo[.]com/shzylinkus
  • deviantart[.]com/nicelizhi

Photos Used by Lizhi Liu

Photo of Lizhi Liu
Photo of Lizhi Liu
Liu used an image of a hoodie with no visible face
Image of a hoodie used by Liu
Black and white image of Lizhi "Steve" Liu
Lizhi “Steve” Liu

The research included below contains significant amounts of screenshots and details, as we believe that many of these accounts will be banned and/or deleted in the coming days and weeks.

Liu Pivots from Open Source Research Shared with District 4 Labs for Further Pivots Using Breach Data

Silent Push Threat Analysts shared the accounts and details found via the pivots in this research with District 4 Labs, who provided additional data and insights about Liu’s accounts.

Despite many pivots being shared back with us, due to the common name of “Lizhi Liu” (and Steve/Steven Liu), it was impossible to confirm that Liu truly owned all of the potential accounts and infrastructure that we have been tracking.

However, Liu’s email address, “chinawolfs@hotmail[.]com,” has been in use for nearly two decades and is associated with a significant history of breaches.

The email address was used with two simple passwords that contained his name repeatedly on numerous services.

The first password was elementary, and we found it was associated with numerous people with the name “Lizhi Liu” – some of which were clear false positives – so we rejected that pivot, even though it likely generated a few true positives for niche legacy services.

However, Liu also reused a more complex password that included his birth year, month, and date, along with his name. We are not directly sharing the password he used because we don’t want to encourage password spraying efforts on his accounts. However, the email addresses associated with this unique password were used across multiple providers.

The first three emails use his persona “chinawolfs,” and we have strong confidence that these are directly controlled accounts.

The remaining accounts used some random email addresses. We believe it’s possible that some of these came from “Combo breach lists,” which contained bad data—essentially, a threat actor selling email/password lists may have stuffed their list with fake details to make it larger and potentially more profitable in a sale. As a result, we’re not making these other emails public and have shared them only with select organizations that can conduct private investigations into the accounts.

  1. chinawolfs@yahoo[.]com
  2. chinawolfs@hotmail[.]com
  3. chinawolfs@aol[.]com

“Focus on Open Source Liu Li Zhizhi” – His 2010 Personal Blog

In 2010, Liu launched one of his personal blogs at cnphp[.]wordpress[.]com, which is still live in 2025. The blog was created in Chinese, but the screenshots we captured have been translated into English via Google Translate.

The “About” page on the blog features a variety of contact information, including email addresses and social media links for Liu. The accounts connect to many other pieces of infrastructure from different sources, confirming that it’s the same Liu Li Zhizhi, also known as Steven Liu.

The username “bmchaoshi” is exclusive to this website, but it appears to be an early Liu persona.

Liu's "Focus on Open Source" blog "About" page in 2010
Source: cnphp[.]wordpress[.]com/about/

In July 2010, Liu posted his first blog explaining his goals to write and study more English.

Screenshot of Liu's first blog stating he created it to write and study more English
Source: cnphp.wordpress[.]com/2010/07/26/today-is-find-day/

On September 22, 2010, Liu posted a rare political blog (cnphp.wordpress[.]com/2010/09/22/) during China’s Mid-Autumn Festival.

The section below, as translated by Google Translate, is rough. Still, other translation services confirmed this is essentially a post about grievances toward Japan, and also, to a lesser degree, the United States.

  • The post includes the comment that “every Chinese citizen” has the idea to let “Japan disappear from the earth.”
  • Liu further states that even if China has corruption, “it does not belong to any country including Japan [or] the United States.”
  • Liu ends the piece with a bold statement about revenge: “The Chinese people have always been a nation that must repay grievances. Please let the world better understand the Chinese nation!”

Screenshot of Liu's rare political writings on his blog: anti-Japan and anti-USA
Liu’s rare political blog post

Second “Focus on Open Source Liu Li Zhizhi” Blog from 2010

Liu published another personal blog around 2010 with a similar title to the one hosted on WordPress, with this one hosted at liulizhi[.]info.

The content on this blog focuses on business optimization, life hacks, and a limited amount on technology issues. Most of the “blog posts” were hyperlinks to third-party content, but there is potentially some light original content here.

Liu created a blog on Open Source in 2010
Liu’s blog: “web.archive[.]org/web/20101129031524/http://liulizhi.info/”

The “About” page for this blog features the name “Liu Lizhi” and three email addresses that align with other sources our team has observed:

  • chinawolfs@hotmail[.]com
  • liulizhi@liulizhi[.]info
  • nice.lizhi@gmail[.]com

The About Us page on Liu's blog
The “About” page on Liu’s blog

Liu’s Personal Website Models[.]net[.]cn Highlights Interests in Computers, Fashion, and Some Politics

Liu has an active blog @ models[.]net[.]cn, which has seen over 900 posts since its launch in 2023 (models[.]net[.]cn/new-blog-start/).

Screenshot of Liu's blog starting on his site Models[.]net[.]cn
Liu’s blog “models[.]net[.]cn/new-blog-start/”

The WHOIS details from Silent Push associated with models[.]net[.]cn, show the email “lizhi.liu@foxmail[.]com” was used to register the domain, with the first record seen on March 12, 2022.

DNS “A records” were first observed associated with this domain in March 2022, but it appears the blog wasn’t launched immediately.

Silent Push Community Edition observed WHOIS info on Liu
“community[.]silentpush[.]com/enrichment/domain/models.net.cn?tab=whois&highlights=collapsed”

The “name” used to register this domain was “上海志彦文化传播有限公司” which translates to “Shanghai Zhiyan Culture Communication Co., Ltd.” – the same name used on the Facebook page for “shgnahaizhiyan” (facebook[.]com/shgnahaizhiyan) which is connected to Liu through the zylinkus[.]com and mote001[.]com domains.

Screenshot of a Facebook page associated with Liu
Source: “facebook[.]com/shgnahaizhiyan”

Liu seems to have edited some of the posts on Models[.]net[.]cn on May 25, 2025, so the original publication dates are not precise.

In the first and second posts on the site, which were backdated to the 1980s (models[.]net[.]cn/day/day-1984-11-13/), Liu explains the day he was born and the second day after his birth, providing some background on his family and name.

Liu posted about his day of birth on his Models[.]net[.]cn site
Liu’s “models[.]net[.]cn/day/day-1984-11-13/”

On September 7, 2012, there was a post (models[.]net[.]cn/page/97/), “Today is the day when my company was established, please record it.” It’s unclear if this is the predecessor to FUNNULL or a separate tech company.

This appears to be another back-dated post, with a recent edit made on May 25, 2025.

Screenshot of Liu's Models[.]net[.]cn page talking about "Sunny Shanghai" in 2012
Liu’s “models[.]net[.]cn/page/97/”

In December 2023, Liu wrote a blog on Christmas (models.net[.]cn/weekendday-2023-12-24/) and the challenges he faced, hoping the next year would bring more prosperity.

Screenshot of Liu's Christmas blog post in 2023
Liu’s Christmas blog: “models[.]net[.]cn/weekendday-2023-12-24”

Across the rest of the blog, there are a significant number of “photos of models” and various fashion magazine covers. This is interspersed with links to third-party news sites, including some that cover cybersecurity threats and others originating from China.

The “About” page (models.net[.]cn/about-me/) features a brief description under the heading

“Hi 👋,I’m Steve”:

I’m a software engineer with a passion for building high-quality software products. I have experience in full-stack web development, mobile app development, and cloud computing. I enjoy working on challenging projects and solving complex problems. I’m always looking to learn new technologies and improve my skills.

The “Tools” page of the website (models[.]net[.]cn/tools/) features hundreds of links to developer websites and repositories, further showing the amount of time Liu has spent engaging with developer communities on the internet.

Zylinkus, aka Shanghai Zhiyancheng (上海志彦成) – Possibly Liu’s First Company, Founded 2012

The domain zylinkus[.]com referenced on many of Liu’s social profiles features content from a “Steve Liu” and makes mention of a company founded in 2012 called “Shanghai Zhiyan,” which is described as:

  • Shanghai Zhiyan was founded in 2012 and is a network service agency focusing on high-end website construction and brand communication. Years of training have given us rich experience in creative design, marketing promotion and technology research and development. We are good at listening to corporate needs, exploring the core value of brands, integrating high-quality design and the latest technology to create a valuable creative design experience for you. The core team has a senior team with more than 8 years of industry experience, covering professionals in various fields such as creativity, strategy, and technology. We firmly believe that every successful project is the result of good teamwork and provide customers with professional and effective network solutions.

Screenshot of Zylinkus[.]com domain
Example of the domain “zylinkus[.]com”

On the zylinkus[.]com website the Chat widget brand “Tawk[.]to” provides chat services for visitors.

Tawk[.]to is a free website chat widget tool legally operating out of Nevada, with most of its employees based in the Philippines, according to LinkedIn company data.

Screenshot of the Tawk[.]to website chat widget Liu used
Example of the “tawk[.]to” website chat widget

This same Zylinkus brand also has a LinkedIn page where they use the name “Shanghai zy web design co.lltd” with the phone number “86.18217614046” which is also seen on the Zylinkus contact page (zylinkus[.]com/contact-us/).

  • linkedin[.]com/company/shanghai-zy-web-design-co-lltd/about/

Liu's LinkedIn profile for Zylinkus
Source: “linkedin[.]com/company/shanghai-zy-web-design-co-lltd/about/”

Further searching of the phone number from the LinkedIn page yields two pages on the Zylinkus domain: one is their Contact Us page, which clarifies that Steve Liu is the founder of “SHZY Inc.” The page further clarifies that the business goals align with website development:

  • Shanghai Zhiyan was founded in 2012 and is a network service agency focusing on high-end website construction and brand communication. Years of training have given us rich experience in creative design, marketing promotion and technology research and development. We are good at listening to corporate needs, exploring the core value of brands, integrating high-quality design and the latest technology to create a valuable creative design experience for you.

Liu's Zylinkus "Contact Us" page
Example of the Contact Us page: “zylinkus[.]com/contact-us/”

The phone number also connects to a unique product and “DNS” sales page on the Zylinkus domain: (zylinkus[.]com/dns/).

The “GUNDNS Smart DNS system” is briefly explained on this generic sales page, accompanied by stock images and some generic details. It seems this sales page was essentially left unfinished:

Screenshot of Zylinkus[.]com/dns
Source: “zylinkus[.]com/dns/”

The “GunDNS Smart DNS System” from Zylinkus, with code originally from “PowerDNS,” may be associated with the FUNNULL infrastructure; our investigation is ongoing.

Zylinkus also has a Facebook page (facebook[.]com/webdesignshanghai).

Mote001[.]com – Previous Effort to Recruit Models, Work in Fashion, Used “Jane Liu” Persona

In March 2018, Liu’s “@phpedu” Twitter account posted a series of tweets for mote001[.]com

Screenshot of Liu's X/Twitter post as "@phpedu"
Liu’s “x[.]com/phpedu/status/969236051716984832”

The mote001[.]com website had the same content in 2018 as it did until late 2024, as seen on the Wayback Machine. The footer of the website states, “Powered by SHZY,” and links to zylinkus[.]com, which we confirmed is owned by Liu.

This blog also had an ICP number, the Chinese Internet License of “沪ICP备13038830号-4”

Screenshot of Liu's blog and ICP number found in the Wayback Machine
Wayback Machine

We can search for this Chinese ICP number via the Silent Push ICP license field.

Web Scanner ICP license search query link

  • datasource = [“webscan”] AND body_analysis.ICP_license = “*13038830*”

The ICP search further confirmed that the ICP number used in the footer of mote001[.]com is the same one used on Liu’s zylinkus[.]com.

Silent Push Web Scanner example showing the ICP number for Liu's Zylinkus site
https://explore.silentpush.com/web-scanner?query=datasource %3D [“webscan”] AND body_analysis.ICP_license %3D “*13038830*”&sorting=scan_date%2Fdesc

In 2021, Liu posted on Weibo about mote001[.]com, which can be seen here (weibo[.]com/3042772513/CeljQk2Sa) in Chinese, that translates to, “Recruit model acting, please email us @Mote001.”

Screenshot of Liu posting on Weibo
Source: “weibo[.]com/3042772513/CeljQk2Sa”

The website features some fashion details, which align with his personal blog. The only writers on the site (“Wayback Machine” link) are named “Admin” and “Jane Liu” – the “Jane” persona is likely a pseudonym used by Steve Liu for the project.

Wayback Machine example showing the writers "Admin" and "Jane Liu" on the website
Wayback Machine example of the writers “Admin” and “Jane Liu” on the website

Liu’s Third “Focus on Open Source” Blog

Liu also owns another low-quality developer blog hosted at cnblogs[.]com/cnphp – a Chinese service for hosting blogs. The blog was live from September 2023 until December 2024.

The title of the blog, when translated to English, is “Focus on open source Liu Li Zhizhi,” with the content primarily consisting of simple tutorials.

Screenshot of Liu's third "Focus on Open Source" blog
Liu’s third Focus on Open Source blog, “cnblogs[.]com/cnphp”

Google’s YouTube Potentially Banned Liu

Liu had a YouTube account under the username “NiceLizhi” (youtube[.]com/@nicelizhi) until it was banned in mid-June 2025. The account was opened on October 27, 2011, and was essentially live for 14 years, featuring a series of developer demonstration videos for some of his projects.

The profile had the name “Steve” as the name, with the description, “Full stack,DevOPS,Cloud Develop,Kubernetes, CDN, DNS.”

Liu linked to his GitHub profile at github[.]com/nicelizhi which has since been renamed to github[.]com/xxl4 and a Twitter profile at twitter[.]com/kongfaceworld

Liu's YouTube channel page was taken down
Liu’s YouTube channel: “youtube[.]com/@nicelizhi”

The YouTube profile associated with this account features a model who is also showcased on a separate personal website, which includes numerous photos of models.

Image from Liu's YouTube channel of a model in a red Oscar de la Renta gown
youtube[.]com/@nicelizhi

2013 Google Code Archive for Zylinkus: Still Live

Liu’s Zylinkus, also known as Shzy, had a Google Code Archive created on February 26, 2013.

Code created for Liu's 2013 Zylinkus is still currently active
Code created in 2013 for Liu’s Zylinkus is still active

2011 Google Groups Post from “Lizhi” Connects to Numerous Liu Personas

In November 2011, user “liulizhi” with the name “lizhi” posted a guide for “Performance Tuning Guidelines for Windows Server 2003,” that included contact details connecting to numerous Liu personas and accounts:

  • Name: lizhi http://about[.]me/liulizhi
  • Weibo: http://weibo[.]com/phpedu
  • MSN: chinawolfs@hotmail[.]com
  • Tel: 86.13524084051
  • QQ: lizhi.liu@foxmail[.]com
  • Services: http://www.liulizhi[.]info/services/

Screenshot of Liu's Google Groups post
2011 Google Group’s post: “groups.google[.]com/g/liulizhi/c/gpWJuBt3jaw”

Liu’s About[.]Me Profile Connects to Active LinkedIn, Flickr Accounts

The About[.]me profile for Lizhi Liu (about[.]me/liulizhi), linked from his Google Groups signature, further links to his Flickr and LinkedIn accounts:

  • linkedin[.]com/in/liulizhi/
  • flickr[.]com/people/liulizhi/

Screenshot of Liu's "About[.]me" page
Liu’s “about[.]me/liulizhi”

Liu’s Personal Flickr Started in 2010, 1,000+ Images Publicly Available

Liu’s personal Flickr account (flickr[.]com/photos/liulizhi/) was created in 2010 and uses the name “Liu Lizhi” and a profile photo seen on some of his other social accounts.

The account currently has 34,000 views, 16 tags, and over 1,000 photos.

Screenshot of Liu Lizhi's Flickr account "About" page
Liu’s personal Flickr account: “flickr[.]com/photos/liulizhi/”

This personal account features hundreds of photos of models and various stock photography, along with a few pictures of Liu himself in multiple poses.

It appears all the images of Liu can be seen under the tag “刘理志”, which translates to “Liu Lizhi.”

Liu included images of himself on his models' Flickr page
Images of Liu accompany hundreds of models’ photos on “flickr[.]com/photos/liulizhi/tags/刘理志/”

Liu’s “Model ZY” Flickr Account: Currently Private

The “Model ZY” Flickr account, created in June 2013 with the email address “steven@zylinkus[.]com,” has over 120,000 views and 82 tags, but no images are currently public.

The account was made private at some point, but based on the views and tags, it is likely that private images are still uploaded in the account.

Liu's personal Flickr page
Liu’s “flickr[.]com/people/zymodel/”

Liu’s GitHub Profile Shows Significant Open Source Collaboration, GunDNS Code

Liu’s GitHub profile is currently github[.]com/xxl4

  • Original profile @ github[.]com/nicelizhi

The “@xxl4” Github profile features the name “Steve” and the bio, “I’m currently a full stack developer and SRE engineer.”

The GitHub profile promotes three domains:

  • models[.]net[.]cn
  • Liu’s profile on huggingface[.]com/xxl4
  • Liu’s writing at medium.com/@cdndns

Screenshot of Liu's "xx14" GitHub profile page
Liu’s GitHub profile

The profile photo for Liu’s “xxl4” profile on GitHub is odd – it’s not him. The original image was taken of someone in the “Tactical Air Control Party (TACP) Airmen with the New Jersey Air National Guard’s 227th Air Support Operations Squadron” – the original photo can be seen here. The GitHub profile photo is identical:

Profile image from Liu's "xx14" GitHub account
Profile photo from Liu’s “xxl4” GitHub account

One of Liu’s repositories, called “GunDNS-Admin,” appears to be a clone of “PowerDNS-Admin” and has over 130 contributors to the code.

  • github[.]com/xxl4/gundns-admin/graphs/contributors

Screenshot of Liu's GunDNS-Admin repo
Example of Liu’s “GunDNS-Admin” repo

The owner archived the repository, and it is now read-only:

The GitHub GunDNS page changed to "read only"
“github[.]com/xxl4/gundns-admin/graphs/contributors”

The “GunDNS-admin” project has many of the same contributors as “PowerDNS-admin” which is a popular open source repository (github[.]com/PowerDNS-Admin/PowerDNS-Admin). Liu’s relationship to this community and code is unclear, but it appears to be one of his more engaged repos.

NexaMerchant GitHub Organization

NexaMerchant (github[.]com/NexaMerchant) appears to be an unpopular open-source service created by Liu and hosted on GitHub, which connects to several of his other GitHub profiles.

The project is described as a “Free laravel ecommerce” framework.

GitHub NexaMerchant screenshot of Liu's page
“github[.]com/NexaMerchant”

On the NexaMerchant “Followers” page (github[.]com/orgs/NexaMerchant/followers), there are unique “Suspended” notes visible next to four of the profiles, even though they are still visible and active on GitHub.

Screenshot of NexaMerchant "Followers" page
The NexaMerchant Followers page: “github[.]com/orgs/NexaMerchant/followers”

The four profiles with the “Suspended” note associated with NexaMerchant, are:

  • github[.]com/shanghaiopensource – includes links to zylinkus[.]com in the profile and appears to be the original GitHub account used by Liu’s first company, “Shanghai Zhiyancheng”
  • github[.]com/zylinkus – another official zylinkus[.]com profile
  • github[.]com/xxl4 – Liu’s personal GitHub account, tied to numerous other details
  • github[.]com/heomai – only connections to NexaMerchant and other Liu personas – started the xxl4 “Easy-admin” repo

Screenshot of GitHub NexaMerchant page
Source: “github[.]com/heomai?tab=stars”

NexaMerchant claims to be a payment gateway working with numerous financial corporations. Their list of claimed partners includes::

  • Stripe, PayPal, Alipay, WeChat Pay, UnionPay, Apple Pay, Google Pay, Samsung Pay, Amazon Pay, Visa, Mastercard, Amex, Discover, JCB, Diners Club, Maestro, Elo, Hipercard, Aura, COD, Checkout, Subscription, CMS, Blog, Shopify, Shopline, Airwallex.

Deviant Art Profile Includes Liu’s Real Birthdate

The “NiceLizhi” profile on Deviant Art (deviantart[.]com/nicelizhi), created within the last six months, indicates it originated in 2025 or late 2024. The profile includes the name “Steve Liu” and has the birthdate set as November 13, the exact birthdate released by the U.S. Treasury Department.

The location was set as Hong Kong, and the pronouns used when signing up were “They/Them.”

Liu's website "Deviantart[.]com"
Liu’s website: “deviantart[.]com/nicelizhi”

Liu’s Gravatar Profile Uses the Name “Steven Lizhi”

Liu’s Gravatar profile (gravatar[.]com/nicelizhi) with the username “Nicelizhi” uses the name “Steven Lizhi” and a unique profile photo from a 2017 fashion shoot for “Shuba Magazine.”

Screenshot of Steven Liu's Gravatar profile
Liu’s Gravatar profile: “gravatar[.]com/nicelizhi”

Let’s Encrypt Profile, Active Posting for 1 Month in 2018, Active Account Through 2024

“Steven Liu” created his Let’s Encrypt account in 2018, and it remained active for a month (community[.]letsencrypt[.]org/u/nicelizhi/summary). However, it was last observed on December 18, 2024, indicating that he has maintained his account for six years.

Screenshot of Liu's Let's Encrypt account page
Liu’s Let’s Encrypt account: “community[.]letsencrypt[.]org/u/nicelizhi/summary”

Hugging Face Comment & Metadata Indicate Liu Uses an Apple Laptop

Liu has a Hugging Face profile (huggingface[.]co/xxl4) with the username “xxl4” and the first name Steve. The profile photo is for NexaMerchant, and features a link to his xxl4 GitHub along with the domain “models[.]net[.]cn.”

Liu has a profile on Hugging Face
Liu’s Hugging Face profile: “huggingface[.]co/xxl4”

It appears that Liu loaded his “Hardware settings” via Hugging Face, which indicates he has an Apple M1 Pro with 16GB of RAM and a 32GB 13th Generation Intel Core (i7).

Liu shared his MacBook's hardware settings on Hugging Face
Liu’s laptop specs loaded in “hardware settings” on Hugging Face

In a Google Gemma-7b discussion on Hugging Face, Liu was having trouble getting the model to run. A user at Google provided comments reminding him that 20GB of RAM was needed, and Liu responded, “Thank you, and now i don’t have GPU, i use CPU, my computer is 32G RAM memory, i want to change a smaller models to debug.”

Liu posted on Hugging Face
Liu’s “huggingface[.]co/google/gemma-7b/discussions/112”

2008 Ubuntu Forum Early Use of “[email protected]” Email Publicly

In March 2008, the Chinese Ubuntu forum featured a post from a user with the handle “chinawolfs@hotmail[.]com,” which was known to be used by Liu.

The Ubuntu user was from “Shanghai” and asked several beginner questions about getting started with developing projects in PHP on Ubuntu Linux.

Screenshot of Chinese Ubuntu forum
Chinese Ubuntu forum page: “forum.ubuntu[.]com.cn/viewtopic.php?t=112707”

Liu asked questions on the Ubuntu forum
Liu asked questions on the forum page: “forum.ubuntu[.]com.cn/viewtopic.php?t=112707”

Liu Lizhi’s Slideshare Connects to “ChinaWolfs” Persona and Personal Website

Liu Lizhi uses what appears to be a “South Park” profile photo on his Slideshare account, which promotes the domain “liulizhi[.]info” and uses the username “chinawolfs.”

The account features four developer presentations from 15 and 16 years ago, created by other individuals, as well as “likes” for several developer presentations. Additionally, it includes a document, “The Psychology of Selling” by Brian Tracy, and a document about Ubuntu Linux.

Liu’s location is listed as “ShangHai China”, his Occupation is “manager” and a “WEB Dev & Database DEV.”

  • slideshare[.]net/chinawolfs

Liu’s SlideShare: “slideshare[.]net/chinawolfs”

Liu’s PayPal Profile

Liu also has a PayPal profile @ paypal[.]com/paypalme/nicelizhi. He uses the name “Liu Lizhi” on the profile “nicelizhi,” and the location is set to Shanghai.

Liu's PayPal profile page
Liu’s profile example: “paypal[.]com/paypalme/nicelizhi”

Liu’s Facebook Profiles, Pages, and Groups

Steven Liu (刘理志) has a Facebook profile (facebook[.]com/lizhi.liu) with 291 friends and a location set to Shanghai, China. Liu’s “Intro” text is “小白” which translates to “noob.”

All other details on the account have been locked down and made private.

Screenshot of Steve Liu's Facebook page
Source: “facebook[.]com/lizhi.liu”

Liu is still actively using his Facebook account even after the U.S. Treasury sanctions were issued, with edits to his Facebook Group (facebook[.]com/groups/ganzhou) occurring as recently as June 22, 2025, when he changed the group name from “赣州” (Ganzhou) to “赣州-客家摇篮” (Ganzhou – Cradle of Hakka).

Liu's Facebook Groups page on Ganzhou - Cradle of Hakka
Liu’s “facebook[.]com/groups/ganzhou”

There are two admins of this Ganzhou Facebook Group – Liu controls both accounts.

  • Liu’s admin details (facebook[.]com/groups/1420660624900919/user/100001332810575)
  • Ganzhou admin details (facebook[.]com/groups/1420660624900919/user/100064372734963)

Liu's Facebook Groups Ganzhou page has two admins
Source: “facebook[.]com/groups/ganzhou/members/admins”

Liu also controls another Ganzhou tourism page called “赣州” (facebook[.]com/enjoyganzhou/) with over 1,000 followers, where he promotes his email “nice.lizhi@gmail[.]com” along with the government domain “ganzhou[.]gov[.]cn.” The most recent post from this page was in August 2024.

Example of the Facebook page EnjoyGanzhou that Liu controls
Liu controls the tourism page: “facebook[.]com/enjoyganzhou/”

In March 2017, Liu created a Facebook page (facebook[.]com/modelsnetcn) named “中国模特演艺人才网” which translates to “China Models and Performing Arts Talent Network.” This was renamed in March 2022 to the current name, “models[.]net[.]cn.”

Screenshot of Liu's Facebook page "China Models and Performing Arts Talent Network"
Liu’s models page: “facebook[.]com/modelsnetcn”

This “models[.]net[.]cn” Facebook page uses the email address “steve@models[.]net[.]cn.”

Liu's Models[.]net[.]cn main page on Facebook
Liu’s models[.]net[.]cn Facebook page

The “models[.]net[.]cn” Facebook page links to both the “models[.]net[.]cn” domain and the “mote001[.]com domain” – both have been observed as connected to Liu elsewhere.

Liu's Models[.]net[.]cn page links to the domain Mote001[.]com, also connected to Liu
The “models[.]net[.]cn page connected back to Liu

Liu created a Facebook Group (facebook[.]com/groups/models.net.cn/) in April 2014, which is still live, promoting his Chinese modeling and photography efforts on the domain mote001[.]com and models[.]net[.]cn.

Screenshot of Facebook groups page for Models[.]net[.]cn
Source: “facebook[.]com/groups/models.net.cn/”

In 2018, Liu organized two Facebook events that are still live on Facebook.

The first event (facebook[.]com/events/1987558024892514/1987558044892512/) from August 16, 2025 was described as:

  • In order for our descendants to have more information about Ganzhou’s traditional culture, and to do something about the gradual loss of Ganzhou culture. I hope that all of our members can keep the pictures, texts, videos and other materials collected from various areas. We will review these materials and update them to the Wikipedia column. Information receiving address: nice.lizhi@gmail[.]com

Liu's Facebook page showing events
Source: “facebook[.]com/events/1987558024892514/1987558044892512/”

The second Facebook event, (facebook[.]com/events/shanghai-china/get-together/2139435819601167/), was hosted on September 30, 2018 and titled “Get Together” with a Chinese description translated to read, “Gather friends in Shanghai to get together during the National Day and see if there are more opportunities for collaboration.”

Liu's second event posted on Facebook
Source: “facebook[.]com/events/shanghai-china/get-together/2139435819601167/”

Liu also has another Facebook page for his “zylinkus[.]com” development company (facebook[.]com/webdesignshanghai/), which was created in August 2012.

Another Facebook page Liu created was for his "Zylinkus[.]com" development company
Source: “facebook[.]com/webdesignshanghai/”

PHP[.]net Post in 2010 from Liu Closed by Testy Member, Calling His Problem “Bogus”

The profile “chinawolfs at hotmail dot com,” seemingly controlled by Liu, posted a comment in 2010 on the PHP[.]net forums (bugs.php[.]net/bug.php?id=52684&edit=2) about a problem he was having. Two people responded to the thread, largely resolving his issue, with the final one calling it “bogus” due to the perceived simplicity of the problem.

Screenshot of the PHP forum with a "Doc Bug" submitted
PHP forum: “bugs.php[.]net/bug.php?id=52684&edit=2”

Continuing to Track FUNNULL and Triad Nexus

Silent Push Threat Analysts released this research as a reminder to enterprise organizations that when the U.S. Treasury sanctions an individual, there are expectations to identify accounts owned by those individuals and potentially terminate service to them.

All defenders need to be aware of the “pig butchering” investment fraud schemes and money laundering websites that are hosted on the FUNNULL CDN and take actions to not only defend their users and networks from these websites, but also to ensure that services provided to this sanctioned entity and the admin running its network are reviewed and potentially terminated.

Our team continues to investigate the FUNNULL CDN and related Triad Nexus threat actors, who host their malicious scam websites via this CDN. Silent Push Enterprise customers enjoy customer-only reporting streams on this threat and many others. Where possible, we will share the details that can be made public here with our readers.

Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands of Websites to Spoof Popular Retail Brands

/in /by

Key Findings

  • Silent Push Threat Analysts followed a tip from Mexican journalist Ignacio Gómez Villaseñor about a threat actor targeting “Hot Sale 2025,” an annual sales event similar to “Black Friday” in the U.S.
  • Our team pivoted from that Mexico-centric campaign into thousands of websites that broadly targeted a more global audience with abundant waves of fake marketplace scams.
  • We identified a private technical fingerprint associated with this infrastructure, which contains Chinese words and characters to strongly indicate that the developers of this network are from China.
  • Our analysts observed this threat actor group building multiple phishing websites with pages spoofing well-known retailers, including Apple, Harbor Freight Tools, Michael Kors, REI, Wayfair, and Wrangler Jeans.
  • The threat actor has also been caught abusing online payment services, including MasterCard, PayPal, and Visa, as well as payment security techniques such as Google Pay, across the campaign’s network of scam websites.

Executive Summary

From a lead gained through a recent X/Twitter post by Mexican journalist Ignacio Gómez Villaseñor, Silent Push Threat Analysts have been investigating a new phishing e-commerce website scam campaign.

The original campaign observed was targeting Spanish-language visitors shopping for the “Hot Sale 2025.” The research by Gómez Villaseñor focused on specific domains found on one IP address targeting Spanish-language audiences; however, it was but one slice of a much larger campaign.

As we began our deeper research, our team soon uncovered a much broader fake marketplace scheme targeting English and Spanish language audiences in many other countries outside of Mexico. After we found a private technical fingerprint associated with the threat actor’s infrastructure, which contained Chinese words and characters, we have high confidence that the developers of this network are from China.

Our team has uncovered thousands of domains spoofing various payment and retail brands in connection to this campaign including (but not limited to): PayPal, Apple, Wayfair, Lane Bryant, Brooks Brothers, Taylor Made, Hermes, REI, Duluth Trading, Omaha Steaks, Michael Kors, and many, many more peddling everything from luxury watches to garage doors.

Table of Contents

Sign Up for a Free Silent Push Community Edition Account

Register now for our free Community Edition to use all the tools and queries highlighted in this blog.

Sign Up Here

Background

Silent Push Threat Analysts have investigated a seemingly endless series of online retail campaigns involving threat actors employing various techniques to scam potential buyers out of their money.

From our blogs on Aggressive Inventory Zombies: A Retail & Crypto Phishing Network and Malvertising Campaigns Abusing Google Search Ads to the most recent GhostVendors Fake Marketplace Campaign that shares our findings on the abuse of a Facebook advertising policy loophole, we share how our technology uncovers thousands of malicious domains spoofing major brands and provides proactive mitigation solutions for our clients.

This latest scam campaign targets English and Spanish language shoppers with fake marketplace ads, which we began investigating following a tip we discovered on journalist Ignacio Gómez Villaseñor’s May 26, 2025, X/Twitter post.

The campaign’s timing took advantage of the recent “Hot Sale 2025,” an annual shopping event sponsored by Asociación Mexicana de Ventas Online (AMVO) (amvo[.]org[.]mx/), which ran from May 26 to June 3, 2025.

Websites in this network don’t appear to actually process transactions or purchases, but instead steal credit card information entered on the (fake) payment page. The write-up from Gómez Villaseñor on Publimetro included this important detail from their testing (translated into English):

In tests carried out by Publimetro México, by entering false bank card data into these portals, the system reacts as if you were actually processing a payment. A “reserved cart ” timer and platform logos are displayed as Visa, MasterCard, PayPal, Oxxo, and SPEI. This simulation is done to gain user trust and steal your information without raising immediate suspicion.”

Our threat analysts observed that the threat actor had created multiple phishing websites with pages spoofing a wide array of retailers, many of which are well-known brands. The phishing pages feature products that appear to have been scraped from other sites and abuse online payment security techniques to orchestrate scam websites.

Additionally, as our team has continued to investigate this online scam, we have found multiple suspicious sites using Google Pay, which suggests that this threat actor group is also stealing payments (as Google Pay uses virtual credit card numbers) and then not actually delivering any of the supposedly “purchased” goods.

Google Pay Widget Integrated Into Sites to Take Real Payments

Some of the websites in this network, such as rizzingupcart[.]com, include genuine Google Pay purchase widgets.

These purchase widgets typically offer an extra layer of security protection to online shoppers, as Google Pay has a key security feature that uses virtual card numbers, which are randomly generated, instead of sharing buyers’ actual credit card details. Since credit card data is not accessible to merchants, threat actors behind fraudulent sites cannot typically steal it.

Despite the security of raw credit card information not being shared via this method, a threat actor can often circumvent the protection of virtual card numbers. Even when accepting payments made via this process, a threat actor can still successfully orchestrate its online scam by simply failing to deliver the ordered products after payment.

Example of a website abusing Google Pay
Example of the site “rizzingupcart[.]com/product/2-pieces-set-chair-printed-armchair-slipcover/” with Google Pay integrated to take real payments

Brands Mixed Between Domains and Sites

Our team found many sloppy deployments on sites such as “harborfrieght[.]shop” (note the misspelling of “freight”), which in theory would be promoting Harbor Freight Tools, yet the website instead featured a clone of the Wrangler jeans site:

The spoof site for Harbor Freight Tools contained all Wrangler Jeans content
The “harborfrieght[.]shop” fake website featured a clone of the Wrangler Jeans site

Brands and Organizations Targeted

The fake marketplace campaign has targeted numerous well-known brands. We are listing a few of the more popular organizations that have been targeted. We are also including screenshots when we were able to catch the phony sites still being viewable online:

  • Harbor Freight Tools
  • Wrangler Jeans
  • Guitar Center
  • Lane Bryant
  • Nordstrom
  • Omaha Steaks
  • REI
  • Thousands more…

A spoof site did a poor job trying to emulate Guitar Center
Example of “guitarcentersale[.]com spoofing Guitar Center

The site “guitarcentersale[.]com” spoofing retailer Guitar Center appears to offer children’s accessories with no sign of any musical instruments for sale.

The site spoofing Omaha Steaks copied much of the legitimate site's content but not enough to be convincing
Example of phony site, “omahasteaksbox[.]com”

The site “omahasteaksbox[.]com tried to pattern its design on the actual Omaha Steaks’ website in its spoofing attempt by partially copying portions of legitimate content. The phony site appears somewhat convincing at first glance, but on closer inspection, it is a shoddy attempt at emulating the popular brand.

Another fake marketplace site, “nordstromltems[.]com” (note the URL has a lower-case “l” instead of an “i” for the word “items”), attempted to spoof the brand of retailer Nordstrom. This fake site only displayed casual kids’ accessories, rather than the breadth of high-end clothing, accessories, shoes, and cosmetics typically associated with the Nordstrom brand, which caters to women, men, and children.

Our team also noted the phony site builder merely cloned the entire site for “guitarcentersale[.]com” and used it for the “nordstromltems[.]com” site, which further confirmed it was the work of the same threat actor.

The site spoofing retailer Nordstrom cloned the content from the fake Guitar Center site
Example of the phony site for “nordstromltems[.]com” – a direct copy of the fake site: “guitarcentersale[.]com”

Another site, spoofing the well-known Brooks Brothers brand, scraped parts of the legitimate website but then listed selections of clothing at impossibly low prices—especially for the BB brand.

Example of the spoofing site abusing the Brooks Brothers' brand
Example of the phony site, “brooksbrothersofficial[.]com” abusing the Brooks Brothers’ brand

Our team found numerous additional sites abusing clothing brands, including one site “josbankofficial[.]com” that attempted to spoof the historic menswear merchant Jos. A. Bank.

Another example of a fake website, this one spoofing Jos. A. Bank menswear
Example of phony site, “josbankofficial[.]com” spoofing the Jos. A. Bank website

Example of a phony site abusing the Tommy Hilfiger brand--a sleazy attempt that included the likely fake brand "Autumvwindsss"
Example of fake website “tommyilfigershop[.]com”

Our team also found a website attempting to spoof the premium clothing brand Tommy Hilfiger. Unlike the typical designer clothing found on the legitimate Tommy Hilfiger site, the spoof site, “tommyilfigershop[.]com” (note the missing “h” for the Hilfiger name and multiple misspellings on the home page) displays a model promoting women’s casual wear advertised by the brand “Autumvwindsss.”

During the course of our research, we determined that many of the fake marketplace sites had been blocked by their hosts once they were discovered (a given site’s fake content was frequently replaced with red warning messages instructing users not to continue browsing on some suspicious domains). However, despite many sites being taken down by both hosts and defenders, thousands remain active as of June 2025. In the face of these types of scaled-up, persistent threats, traditional methods appear unable to hold back the tide.

This is why Silent Push focuses on the value created by our Indicators Of Future AttackTM (IOFATM) feeds—so our customers can act on preemptive threat intelligence, rather than traditional, reactive methods.

Continuing to Track the Mexican Hot Sale / Chinese Fake Marketplace Phishing Campaign

Silent Push Threat Analysts will continue to track this Fake Marketplace Chinese Phishing Campaign and update our findings with future posts and reports as we uncover new developments.

If you or your organization has any information on this threat actor, we would love to hear from you.

Mitigation

Silent Push believes that all websites associated with this campaign represent some level of risk. This fake marketplace campaign primarily targets consumers with a phishing threat that exploits major brands, well-known organizations, and the fame of some political figures.

Our analysts have developed a series of Silent Push IOFATM feeds in response to these types of phishing efforts to best protect our customers from global threats.

Silent Push IOFATM Feeds are available as part of an Enterprise subscription. Enterprise users can ingest IOFATM Feed data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.

Sample Indicators Of Future AttackTM

Silent Push is sharing a small sample of our Indicators Of Future AttackTM (IOFATM) list, which we associate with the Mexican Hot Sale/Chinese fake marketplace phishing campaign to support ongoing efforts within the community. Our enterprise users have access to an IOFATM feed currently containing significantly more indicators from this campaign.

  • cotswoldoutdoor-euro[.]shop
  • harborfrieght[.]shop
  • portal[.]oemsaas[.]shop
  • rizzingupcart[.]com
  • brooksbrothersofficial[.]com
  • josbankofficial[.]com
  • nordstromltems[.]com
  • guitarcentersale[.]com
  • tommyilfigershop[.]com
  • tumioutlets[.]com

Improve Global Threat Detection Using STIX and TAXII within Silent Push

/in /by

Silent Push now offers bi-directional support for STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Indicator Information) – two of the most widely adopted standards for Cyber Threat Intelligence (CTI) sharing and automation. 

This capability injects our industry-leading preemptive threat intelligence directly into your existing security workflows, allowing for faster, smarter decision-making without added complexity, and giving teams the ability to collaborate cross-platform to detect emerging threats at the earliest opportunity. 

What are STIX and TAXII?

The speed and clarity of intelligence delivery determines how well teams respond to emerging adversary activity. CTI is often fragmented, stuck in proprietary formats, or siloed across different systems, making it hard to get at actionable intelligence, or collaborate effectively to detect hidden threats. 

Enter stage right: STIX and TAXII.

STIX is a standardized format for structuring threat intelligence – from domain and IP indicators, to TTPs, APT relationships, and threat actor profiles. It provides a machine-readable way to express contextual intelligence in a format that analysts and tools can easily understand. 

TAXII is the protocol for sharing that same intelligence securely and efficiently. It lets platforms push and pull data between trusted sources and subscribers, enabling real-time intelligence exchange across organizations, teams, and tools. 

Together, STIX and TAXII simplify integration, reduce manual effort, and help security teams operate with greater precision and speed. 

Not Just Another Feed: Actionable STIX Data Built from IOFA™ 

Silent Push Enterprise users can now easily ingest threat data derived from infrastructure-level intelligence that focuses on the ways threat actors setup and manage their infrastructure, structured in STIX format and delivered via TAXII feeds.

This allows Silent Push data to plug directly into TIP, SIEM and SOAR platforms, or any other cybersecurity system that supports these standards. 

It’s not just about the format. What sets Silent Push apart is the quality and depth of the intelligence being shared.

Unlike CTI vendors that aggregate third-party feeds, or focus solely on IOCs, Silent Push captures and analyzes the unseen layers of attacker infrastructure – from passive DNS and web content changes to behavioral patterns, automation signatures, and hosting relationships – and delivers them as Indicators of Future Attack (IOFA).

All our data is collected and aggregated by us, globally and independently, with no reliance on external resolvers or limited partnerships. 

This means the STIX data you’re receiving isn’t just another feed of stale domains or hashes. It’s real infrastructure context, including domains and IPs tagged with relevant information, such as threat actor name, linked campaigns, nameserver reputation, malware type, and IOFA™ feed presence.

Plug and Protect: Use Cases for STIX/TAXII in Silent Push 

With Silent Push’s STIX/TAXII support, organizations can: 

  • Automate IOFA™ ingestion: Feed Silent Push indicators directly into your SIEM or firewall policy engine without manual formatting or translation. 
  • Enrich existing alerts: Correlate events in your environment with deeper infrastructure context pulled from Silent Push intelligence. 
  • Build custom detections: Use Silent Push data in threat-hunting playbooks or SOAR workflows to uncover related infrastructure and prevent lateral movement. 
  • Bi-directional intelligence sharing: Ingest external CTI data into your Silent Push subscription and contribute IOFA™to CTI sharing communities using a common, interoperable language.

Whether you’re part of a Security Operations Center (SOC), threat hunting team, or CTI unit, this integration allows you to move faster, reduce noise, and act with greater confidence. 

Silent Push/OpenCTI TAXII configuration

Designed for Flexibility 

Silent Push’s STIX/TAXII implementation is engineered to support flexible consumption of CTI data.

  • Pull or push feeds to your preferred tools and platforms 
  • Choose from curated data sets – including malicious hosting clusters, high-risk domains, or specific TTPs 
  • Apply filters based on region, time, or infrastructure type in Feed Scanner
  • Access feeds programmatically for full automation, or manually for ad hoc investigations 

We’ve also made sure our TAXII server meets the latest interoperability standards, ensuring compatibility with the tools your team already uses. 

Book a Demo 

In a security environment that demands faster decisions and tighter integration, Silent Push’s support for STIX and TAXII helps organizations minimize siloed information sharing, and operationalize threat intelligence with minimal friction.

By combining the depth of Silent Push data with the power of open standards, we’re making it easier than ever for teams to stay ahead of adversary infrastructure, and act before the next attack chain begins. 

Get in touch today for a personalized demonstration.

Book a demo

Threat Report: Smishing Triad

/in /by

Smishing Triad is a coordinated, large-scale phishing operation leveraging mobile messaging (SMS) to impersonate trusted financial and shipping brands. First observed in 2023, it has rapidly evolved into an industrialized ecosystem of phishing kits developed and distributed by Chinese actors — now active in over 121 countries, with a sharp increase in attacks across the APJ region.

The campaign is targeting some of the world’s biggest brands, including HSBC, PayPal, Mastercard, Bank of America, Chase, and more.

  • Learn about Smishing Triad’s key targets in the financial services sector
  • Discover the global campaign’s infrastructure and attack methods
  • Access actionable mitigation strategies and techniques, including a sample list of Indicators of Future Attack™

This isn’t just another phishing report. It’s a look into the next generation of threat infrastructure targeting financial services — one your security team needs to understand now.

The Silent Push Difference

Silent Push provides preemptive cyber intelligence that exposes threat actor infrastructure as it’s being set up, and shared as Indicators of Future Attack (IOFA), allowing organizations to proactively block attacks.

Accelerate APT Investigations With Silent Push Threat Reports 

/in /by

The Challenge: Drowning in a Deluge of APT Investigations 

Like many large enterprises, our media services customer faced the daunting task of sifting through vast quantities of raw threat intelligence relating to high-profile Advanced Persistent Threat (APT) groups targeting their organization. 

Even with robust security infrastructure, the sheer complexity of data related to APT activity, and their expansive online presence, meant that identifying and responding to APT behavior was a time-consuming and reactive endeavour. 

Each investigation was a deep dive, requiring significant manual effort to correlate disparate pieces of information, and extract actionable intelligence that could be used in the organization’s security operation. 

This not only put a strain on their Security Operations Center (SOC) team, but also delayed their ability to preemptively mitigate threats, leaving windows of vulnerability open longer than desired. 

The existing workflows, while comprehensive, struggled to keep pace with the dynamic nature of APT activity, leading to prolonged investigation cycles and a persistent sense of playing catch-up. 

The Solution: TLP Amber Reports within Silent Push Enterprise 

Silent Push Enterprise edition features exclusive access to APT and threat-specific TLP (Traffic Light Protocol) Amber reports. 

Built on the insight and knowledge we gain through the platform’s ability to reveal and track infrastructure as it’s being deployed, TLP Amber Reports are drafted by Silent Push’s expert Threat Analysts who have collectively produced industry-leading research on high-profile threat campaigns. 

Our reports go much deeper than our public blogs, featuring direct links to pivots, queries, scans, and datasets, so that teams can follow along within the platform, along with a comprehensive list of Indicators of Future Attack (IOFA)™ that are exposed during the investigation.

TLP Amber Reports menu

Using our reports as a jump-off point for APT investigations, our customer’s security team no longer had to painstakingly piece together information from multiple sources. 

Critical context, including attacker methodologies, tools, and infrastructure, is presented directly within the platform, drastically reducing investigation time. Each TLP Amber report is also tagged with the relevant threat actor or campaign name, and is presented alongside a corresponding IOFA Feed.

Our customer streamlined a time-consuming and reactive process into a short, sharp, review of immediately available intelligence, significantly bolstering their security posture against some of the most highly advanced and prominent cybercriminals currently in operation. 

What took days (or even weeks), now took a few hours.

The Silent Push Difference: Ready-made SOC and IR Intelligence

Our TLP Amber reports fundamentally changed our customer’s approach to APT investigations. 

With TTPs laid bare and actionable pivots readily available, the time spent investigating APT activity plummeted. Analysts could now quickly understand an adversary’s modus operandi and identify infrastructure for blocking and reporting. 

By understanding the patterns involved in APT infrastructure deployment and management, the security team moved from a reactive to a truly preemptive stance, with a newfound ability to predict where an attack was likely to originate, rather than relying on post-breach indicators that were often redundant as soon as they were publicly known.. 

Intelligence that was previously hard to access – either spread across multiple pieces of research, hidden under the surface of an attack, or requiring extensive manual correlation – became readily available.

Learn more about our unique approach to preemptive threat intelligence  

Find out how Silent Push can help you save countless hours of painstaking threat research with customised TLP Amber reports that are specific to your area of expertise. 

Contact Us

Silent Push Inc. ©2025