Tall Tales: How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression
In collaboration with the International Consortium of Investigative Journalists (ICIJ), two distinct actor clusters aligned with the People's Republic of China were identified targeting journalists and civil society members. GLITTER CARP conducted widespread credential harvesting campaigns against Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists, as well as journalists covering these communities, employing digital impersonation and fake security alerts while frequently reusing infrastructure. SEQUIN CARP specifically targeted journalists involved in ICIJ's China Targets investigation using sophisticated OAuth consent phishing attacks with well-developed personas based on co-opted narratives, though operational mistakes revealed poor persona management. Both campaigns demonstrate China's Military-Civil Fusion system leveraging private contractors to conduct digital transnational repression at scale, with targeting intensifying following the China Targets publication that exposed Chinese governme...
AI Analysis
Technical Summary
Two Chinese-aligned actor clusters, GLITTER CARP and SEQUIN CARP, conduct targeted digital repression against journalists and activists linked to Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora communities. GLITTER CARP focuses on credential harvesting using impersonation and fake security alerts, often reusing infrastructure. SEQUIN CARP targets journalists involved in the ICIJ China Targets investigation with OAuth consent phishing attacks using personas crafted from stolen narratives. These campaigns illustrate the use of private contractors under China's Military-Civil Fusion system to perform large-scale digital repression. Operational errors in persona management were observed in SEQUIN CARP's activities. The campaigns intensified following public exposure by investigative journalism. This is a social engineering and credential theft threat rather than a software vulnerability, with no patches or exploits applicable.
Potential Impact
The campaigns result in credential theft and potential unauthorized access to accounts of targeted journalists and activists, enabling digital transnational repression. This undermines privacy, freedom of expression, and safety of targeted individuals. The impact is significant for affected communities but does not involve exploitation of software vulnerabilities or widespread malware propagation. No known exploits in the wild have been reported.
Mitigation Recommendations
No patches or official fixes are applicable as this threat involves social engineering and credential harvesting rather than software vulnerabilities. Defenders should focus on user awareness training about phishing and impersonation tactics, implement strong multi-factor authentication, and monitor for suspicious OAuth consent requests. Since this is a targeted campaign, organizations supporting at-risk communities should increase vigilance and incident response readiness. Patch status is not applicable.
Indicators of Compromise
- domain: youtubenet.com
- domain: sharelinks.info
- domain: mercatdegirona.com
- domain: hsf898.com
- domain: ifans.online
- domain: myidsafety.com
- domain: entrnow.com
- domain: oauth-api.com
- domain: pornhub-net.com
- domain: personalsafezone.com
- domain: passionateboomers.com
- domain: myacceshub.com
- domain: sctapi.ftqq.com
- url: https://sctapi.ftqq.com
- domain: acesportal.com
- domain: 1drv.one
- domain: accntcntr.com
- domain: accountcentar.com
- domain: accpanelcenter.com
- domain: brighterora.com
- domain: coincarp.cash
- domain: deeporbiton.com
- domain: fileprev.com
- domain: fileprev.info
- domain: gitlab-ai.com
- domain: logncntr.com
- domain: odsync.live
- domain: odview.live
- domain: profileub.com
- domain: setuppanel.com
- domain: signinacesspoint.com
- domain: usercontropanel.com
- domain: userpref.com
- domain: usrkonnect.com
- domain: uzrconnect.com
- url: https://a.web.oauth2-signal.com
- url: https://a.web.oauth2-signal.com/gm-oauth2-callback
- url: https://megaview.click/pdf_to_scilla
- url: https://sctapi.ftqq.com:443/SCT269149TJZWARwQ76bEWeM6Vjrgih583.send?title=Gmail&desp=3D[TARGET
- url: https://sctapi.ftqq.com:443/SCT96188ToxRyYX7UWYhASIGRXfL7AAzv.send?title=Gmail&desp=Mozilla%2F5.0%20
- domain: accopanel.com
- domain: acctune.com
- domain: acespoint.com
- domain: akountcenter.com
- domain: akounthub.com
- domain: authinityapp.com
- domain: breachforums.fit
- domain: browsernotifications.info
- domain: chinadigitaltime.net
- domain: configalign.com
- domain: configuramgr.com
- domain: controhub.com
- domain: controlprofile.com
- domain: coupangrank.kr
- domain: dentialvault.com
- domain: entgate.com
- domain: entpoinat.com
- domain: entruhub.com
- domain: entryfortify.com
- domain: entrzone.com
- domain: epechtimes0.org
- domain: evtreview.com
- domain: feelitnov.com
- domain: gearhelix.com
- domain: givemethedge.com
- domain: gnews.news
- domain: google-document.com
- domain: guardaccount.com
- domain: guidefixit.com
- domain: icjiorg.org
- domain: identhubs.com
- domain: identihive.com
- domain: interfacily.com
- domain: ivycemnp.com
- domain: lgtymp.fit
- domain: lineman.live
- domain: lineme.live
- domain: linkshub.info
- domain: logifycenter.com
- domain: loginnetal.com
- domain: loginshiled.com
- domain: logncenter.com
- domain: megaview.click
- domain: memburcenter.com
- domain: mlinks.info
- domain: mmbrhub.com
- domain: neuralgiavista.com
- domain: novamecha.com
- domain: oauth2-signal.com
- domain: ocspilots.com
- domain: odsync.cloud
- domain: oneclickautht.com
- domain: openlabc.com
- domain: profilemgr.com
- domain: profilesetop.com
- domain: profilesetup.com
- domain: proflcntr.com
- domain: protectehub.com
- domain: redi.ink
- domain: secureagate.com
- domain: sharedrive.cloud
- domain: showthetrick.com
- domain: siginpro.com
- domain: signalgroup.me
- domain: signcenterr.com
- domain: signinacessint.com
- domain: signivaullt.com
- domain: signncenter.com
- domain: startentry.com
- domain: syandbly.online
- domain: telegra.live
- domain: touzhele.fun
- domain: useracess.com
- domain: useradjust.com
- domain: userconsola.com
- domain: usergateaccess.com
- domain: userhubz.com
- domain: userhup.com
- domain: userpanell.com
- domain: userportl.wine
- domain: useverifcation.com
- domain: usrcntr.com
- domain: uzrcenter.com
- domain: uzrconect.com
- domain: verifcredentia.com
- domain: vibshare.me
- domain: voinewz.com
- domain: vonxnews.com
- domain: 2fa.web.oauth2-signal.com
- domain: a.web.oauth2-signal.com
- domain: epochtimes.entryfortify.com
- domain: globalobject.console.info
Tall Tales: How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression
Description
In collaboration with the International Consortium of Investigative Journalists (ICIJ), two distinct actor clusters aligned with the People's Republic of China were identified targeting journalists and civil society members. GLITTER CARP conducted widespread credential harvesting campaigns against Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists, as well as journalists covering these communities, employing digital impersonation and fake security alerts while frequently reusing infrastructure. SEQUIN CARP specifically targeted journalists involved in ICIJ's China Targets investigation using sophisticated OAuth consent phishing attacks with well-developed personas based on co-opted narratives, though operational mistakes revealed poor persona management. Both campaigns demonstrate China's Military-Civil Fusion system leveraging private contractors to conduct digital transnational repression at scale, with targeting intensifying following the China Targets publication that exposed Chinese governme...
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Two Chinese-aligned actor clusters, GLITTER CARP and SEQUIN CARP, conduct targeted digital repression against journalists and activists linked to Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora communities. GLITTER CARP focuses on credential harvesting using impersonation and fake security alerts, often reusing infrastructure. SEQUIN CARP targets journalists involved in the ICIJ China Targets investigation with OAuth consent phishing attacks using personas crafted from stolen narratives. These campaigns illustrate the use of private contractors under China's Military-Civil Fusion system to perform large-scale digital repression. Operational errors in persona management were observed in SEQUIN CARP's activities. The campaigns intensified following public exposure by investigative journalism. This is a social engineering and credential theft threat rather than a software vulnerability, with no patches or exploits applicable.
Potential Impact
The campaigns result in credential theft and potential unauthorized access to accounts of targeted journalists and activists, enabling digital transnational repression. This undermines privacy, freedom of expression, and safety of targeted individuals. The impact is significant for affected communities but does not involve exploitation of software vulnerabilities or widespread malware propagation. No known exploits in the wild have been reported.
Mitigation Recommendations
No patches or official fixes are applicable as this threat involves social engineering and credential harvesting rather than software vulnerabilities. Defenders should focus on user awareness training about phishing and impersonation tactics, implement strong multi-factor authentication, and monitor for suspicious OAuth consent requests. Since this is a targeted campaign, organizations supporting at-risk communities should increase vigilance and incident response readiness. Patch status is not applicable.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://citizenlab.ca/research/how-chinese-actors-use-impersonation-and-stolen-narratives-to-perpetuate-digital-transnational-repression/"]
- Adversary
- null
- Pulse Id
- 69f05d291d899793ddba04f9
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainyoutubenet.com | — | |
domainsharelinks.info | — | |
domainmercatdegirona.com | — | |
domainhsf898.com | — | |
domainifans.online | — | |
domainmyidsafety.com | — | |
domainentrnow.com | — | |
domainoauth-api.com | — | |
domainpornhub-net.com | — | |
domainpersonalsafezone.com | — | |
domainpassionateboomers.com | — | |
domainmyacceshub.com | — | |
domainsctapi.ftqq.com | — | |
domainacesportal.com | — | |
domain1drv.one | — | |
domainaccntcntr.com | — | |
domainaccountcentar.com | — | |
domainaccpanelcenter.com | — | |
domainbrighterora.com | — | |
domaincoincarp.cash | — | |
domaindeeporbiton.com | — | |
domainfileprev.com | — | |
domainfileprev.info | — | |
domaingitlab-ai.com | — | |
domainlogncntr.com | — | |
domainodsync.live | — | |
domainodview.live | — | |
domainprofileub.com | — | |
domainsetuppanel.com | — | |
domainsigninacesspoint.com | — | |
domainusercontropanel.com | — | |
domainuserpref.com | — | |
domainusrkonnect.com | — | |
domainuzrconnect.com | — | |
domainaccopanel.com | — | |
domainacctune.com | — | |
domainacespoint.com | — | |
domainakountcenter.com | — | |
domainakounthub.com | — | |
domainauthinityapp.com | — | |
domainbreachforums.fit | — | |
domainbrowsernotifications.info | — | |
domainchinadigitaltime.net | — | |
domainconfigalign.com | — | |
domainconfiguramgr.com | — | |
domaincontrohub.com | — | |
domaincontrolprofile.com | — | |
domaincoupangrank.kr | — | |
domaindentialvault.com | — | |
domainentgate.com | — | |
domainentpoinat.com | — | |
domainentruhub.com | — | |
domainentryfortify.com | — | |
domainentrzone.com | — | |
domainepechtimes0.org | — | |
domainevtreview.com | — | |
domainfeelitnov.com | — | |
domaingearhelix.com | — | |
domaingivemethedge.com | — | |
domaingnews.news | — | |
domaingoogle-document.com | — | |
domainguardaccount.com | — | |
domainguidefixit.com | — | |
domainicjiorg.org | — | |
domainidenthubs.com | — | |
domainidentihive.com | — | |
domaininterfacily.com | — | |
domainivycemnp.com | — | |
domainlgtymp.fit | — | |
domainlineman.live | — | |
domainlineme.live | — | |
domainlinkshub.info | — | |
domainlogifycenter.com | — | |
domainloginnetal.com | — | |
domainloginshiled.com | — | |
domainlogncenter.com | — | |
domainmegaview.click | — | |
domainmemburcenter.com | — | |
domainmlinks.info | — | |
domainmmbrhub.com | — | |
domainneuralgiavista.com | — | |
domainnovamecha.com | — | |
domainoauth2-signal.com | — | |
domainocspilots.com | — | |
domainodsync.cloud | — | |
domainoneclickautht.com | — | |
domainopenlabc.com | — | |
domainprofilemgr.com | — | |
domainprofilesetop.com | — | |
domainprofilesetup.com | — | |
domainproflcntr.com | — | |
domainprotectehub.com | — | |
domainredi.ink | — | |
domainsecureagate.com | — | |
domainsharedrive.cloud | — | |
domainshowthetrick.com | — | |
domainsiginpro.com | — | |
domainsignalgroup.me | — | |
domainsigncenterr.com | — | |
domainsigninacessint.com | — | |
domainsignivaullt.com | — | |
domainsignncenter.com | — | |
domainstartentry.com | — | |
domainsyandbly.online | — | |
domaintelegra.live | — | |
domaintouzhele.fun | — | |
domainuseracess.com | — | |
domainuseradjust.com | — | |
domainuserconsola.com | — | |
domainusergateaccess.com | — | |
domainuserhubz.com | — | |
domainuserhup.com | — | |
domainuserpanell.com | — | |
domainuserportl.wine | — | |
domainuseverifcation.com | — | |
domainusrcntr.com | — | |
domainuzrcenter.com | — | |
domainuzrconect.com | — | |
domainverifcredentia.com | — | |
domainvibshare.me | — | |
domainvoinewz.com | — | |
domainvonxnews.com | — | |
domain2fa.web.oauth2-signal.com | — | |
domaina.web.oauth2-signal.com | — | |
domainepochtimes.entryfortify.com | — | |
domainglobalobject.console.info | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://sctapi.ftqq.com | — | |
urlhttps://a.web.oauth2-signal.com | — | |
urlhttps://a.web.oauth2-signal.com/gm-oauth2-callback | — | |
urlhttps://megaview.click/pdf_to_scilla | — | |
urlhttps://sctapi.ftqq.com:443/SCT269149TJZWARwQ76bEWeM6Vjrgih583.send?title=Gmail&desp=3D[TARGET | — | |
urlhttps://sctapi.ftqq.com:443/SCT96188ToxRyYX7UWYhASIGRXfL7AAzv.send?title=Gmail&desp=Mozilla%2F5.0%20 | — |
Threat ID: 69f0c280cbff5d86101cb5f2
Added to database: 4/28/2026, 2:21:52 PM
Last enriched: 4/28/2026, 2:37:52 PM
Last updated: 4/29/2026, 4:47:38 AM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.