Security researchers have identified a massive campaign involving the abuse of the legitimate DCloud Uni-App framework to power over 200,000 investment scam sites. Unlike traditional bespoke phishing operations, threat actors are now utilizing a legitimate cross-platform development toolkit to generate high-fidelity, professional-looking scam applications. This "Scam-as-a-Service" model allows attackers to rapidly deploy infrastructure that blends in with normal web traffic, bypassing static filters that rely on known malicious code signatures. For defenders, this represents a significant shift in adversary methodology, moving from simple skimming scripts to complex, templated application frameworks that mimic legitimate trading and investment platforms.
Technical Analysis
Affected Component: DCloud Uni-App Framework (Legitimate tool abused maliciously).
Platform: Cross-platform (Web, iOS, Android). The framework is primarily used to build apps using Vue.js that can be exported to various platforms, making it particularly attractive for "Pig Butchering" (Sha Zhu Pan) and other investment fraud schemes that require a mobile app feel.
Attack Vector: The threat does not stem from a zero-day vulnerability in the Uni-App framework itself. Rather, it is an abuse of functionality. Criminal groups obtain or sell "investment scam templates" built on Uni-App. These templates come pre-configured with fake trading dashboards, wallet interfaces, and customer support chats. Because the underlying framework is legitimate, the generated code often appears clean to automated scanners.
Mechanism of Action:
- Template Deployment: Actors deploy the pre-built Uni-App template to a web server or convert it into an APK/IPA for mobile distribution.
- Social Engineering: Victims are lured via social media or messaging apps (Telegram, WhatsApp) to download these apps or visit the web portals.
- Data Harvesting: The app interface mimics a legitimate brokerage, capturing user credentials and financial deposits before the fraudsters cut off access.
Exploitation Status: Confirmed active exploitation. Over 200,000 domains associated with these templates have been observed, indicating a prolific, industrialized campaign.
Detection & Response
Detecting these campaigns requires identifying the structural fingerprints of the Uni-App framework in unexpected contexts or correlating specific file paths associated with the default template builds with low-reputation domains.
---
title: Potential Uni-App Scam Template Access
id: 98d6c3a1-4f12-4b8e-9c1d-1e2f3a4b5c6d
status: experimental
description: Detects network requests to Uni-App default build artifacts (app-service.js) which are heavily used in current investment scam templates. Legitimate apps using Uni-App should be allowlisted.
references:
- https://www.securityweek.com/chinese-framework-powers-200000-scam-sites/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1566
group: masquerading
logsource:
category: proxy
product: any
detection:
selection:
c-uri|contains:
- '/static/js/app-service.js'
- '/static/js/uni.'
- '/__uniapp'
filter_legitimate:
cs-host|contains:
- 'trusted-domain.com'
- 'internal-app.local'
condition: selection and not filter_legitimate
falsepositives:
- Legitimate internal applications built with Uni-App
level: high
---
title: Suspicious Uni-App Webview User-Agent
id: 12a3b4c5-d6e7-8f90-1234-567890abcdef
status: experimental
description: Detects requests from User-Agents commonly associated with Uni-App hybrid applications originating from external IPs.
references:
- https://www.securityweek.com/chinese-framework-powers-200000-scam-sites/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.command_and_control
- attack.t1071
group: masquerading
logsource:
category: webserver
product: any
detection:
selection:
cs-user-agent|contains:
- 'uni-app'
- 'Html5Plus'
condition: selection
falsepositives:
- Verified internal mobile applications
level: medium
**KQL (Microsoft Sentinel / Defender)**
This query hunts for network connections to domains hosting the default file structures of these scam templates.
// Hunt for Uni-App scam infrastructure indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ('/static/js/app-service.js', '/static/js/chunk-vendors.js', '/__uniapp')
| where InitiatingProcessFileName in ('chrome.exe', 'msedge.exe', 'firefox.exe')
or InitiatingProcessFileName !in ('svchost.exe', 'services.exe') // Filter background noise
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend Domain = tostring(split(RemoteUrl, '/')[0])
| summarize count() by Domain, RemoteIP, bin(Timestamp, 1h)
| where count_ < 50 // Filter out high-volume legitimate CDNs if necessary, or tune based on environment
| order by count_ desc
**Velociraptor VQL**
Hunt for web-app artifacts or PWA (Progressive Web App) manifests in user directories that contain Uni-App signatures, which may indicate a user has interacted with or installed a scam template.
-- Hunt for Uni-App related manifest or JS files in user profiles
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs='/*users/*/AppData/Local/*/User Data/*/Default/Local Storage/leveldb/*.log')
WHERE
Content =~ 'uni-app'
OR Content =~ 'dcloud'
OR Content =~ 'Html5Plus'
**Remediation Script (PowerShell)**
This script assists in auditing endpoints for suspicious PWA shortcuts or HTML files associated with these scam templates in common download directories.
# Audit for suspicious investment scam artifacts using Uni-App
# Run as Administrator
Write-Host "[+] Initiating hunt for Uni-App scam artifacts..." -ForegroundColor Cyan
$UserDirs = Get-ChildItem "C:\Users" -Directory -Exclude "Public", "Default*")
$SuspiciousPatterns = @("uni-app", "dcloud", "Html5Plus", "app-service.js")
$Findings = @()
foreach ($User in $UserDirs) {
$DownloadPath = Join-Path -Path $User.FullName -ChildPath "Downloads"
$DesktopPath = Join-Path -Path $User.FullName -ChildPath "Desktop"
if (Test-Path $DownloadPath) {
Write-Host "[ ] Scanning $($User.Name) Downloads..." -ForegroundColor Gray
$Files = Get-ChildItem -Path $DownloadPath -Recurse -Include *.html, *.js, *., *.url -ErrorAction SilentlyContinue
foreach ($File in $Files) {
$Content = Get-Content $File.FullName -Raw -ErrorAction SilentlyContinue
if ($Content) {
foreach ($Pattern in $SuspiciousPatterns) {
if ($Content -match $Pattern) {
$Findings += [PSCustomObject]@{
User = $User.Name
Path = $File.FullName
PatternMatched = $Pattern
}
break
}
}
}
}
}
}
if ($Findings.Count -gt 0) {
Write-Host "[!] Potential scam artifacts found:" -ForegroundColor Red
$Findings | Format-Table -AutoSize
# Optional: Quarantine logic would go here based on organizational policy
} else {
Write-Host "[+] No suspicious Uni-App artifacts found." -ForegroundColor Green
}
Remediation
- Network Blocking: Utilize the SIGMA rules and IOCs derived from your proxy logs to block domains serving the specific directory structures (
/static/js/app-service.js) characteristic of these templates on non-whitelisted external sites. - SSL/TLS Inspection: Ensure your Secure Web Gateway (SWG) is performing deep SSL inspection. Many of these scams operate over HTTPS, hiding the malicious framework payload from packet headers.
- User Awareness: Immediately update security awareness training to include specific indicators of these "app-based" investment scams. Warn users against installing "trading apps" provided directly via links (sideloading) rather than official app stores.
- Allowlisting: If your organization uses the DCloud Uni-App framework for legitimate development, strictly allowlist the domains and IP addresses hosting your legitimate instances to prevent false positives and ensure rapid detection of spoofed versions.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.