Threat actors are impersonating critical and general services, online platforms, and cryptocurrency exchanges in a massive smishing campaign that has been ongoing since April 2024, according to a warning from Palo Alto Networks. The cybersecurity firm first warned of the campaign in early March 2024, when it identified over 10,000 domains linked to the impersonation of toll and package delivery services. Roughly a month later, it warned of over 91,500 root domains employed in these attacks. Subsequent analysis revealed that the campaign is much more extensive, with over 194,000 malicious domains used in these attacks since 01 January 2024.[1]
In addition to package delivery services, the attacks also impersonate healthcare organizations, banks, cryptocurrency platforms, e-commerce and online payment platforms, law enforcement, and social media platforms. “The campaign is highly decentralized, lacking a single point of control, and uses many domains and a diverse set of hosting infrastructure. This is advantageous for the attackers as churning through thousands of domains weekly makes detection more difficult,” Palo Alto Networks notes.
Most of the attacks focus on US users, but the campaign’s reach is global, with victims identified in Argentina, Australia, Canada, France, Germany, Ireland, Israel, Lithuania, Malaysia, Mexico, Poland, Russia, the UAE, the UK, and other countries. According to Palo Alto Networks, the campaign's responsible party is a Chinese-speaking threat actor known as the Smishing Triad, which has been active since at least 2023. In addition to SMS phishing, it was also seen sending emails to iPhone users’ iMessage app in attacks impersonating India Post.
Earlier in 2025, the threat actor was seen boasting on its Telegram channel about a new phishing kit called Lighthouse that could target major Western financial organizations and banks in Australia and the APAC region. Smishing Triad’s attacks, Palo Alto Networks notes, are constantly evolving, and the large number of domains associated with the campaign proves that.
The constant remains the personalized SMS messages that rely on social engineering to imply urgency and lure victims to the malicious domains where they are tricked into sharing their personal information, including their Social Security numbers and similar national identifiers.
The campaign is likely supported by a Phishing-as-a-Service (PhaaS) operation. The threat actors involved are likely specialized in different stages of the supply chain and include a data broker, a domain seller, a hosting provider, a phishing kit developer, an SMS spammer, and support roles checking for valid phone numbers and blocked domains.
Most of the domains (82.6%) used in the campaign had a lifespan of two weeks or less, and fewer than 6% remained active three months after registration. According to Palo Alto Networks, 29.19% of the domains were active for two days or less. Roughly 90,000 of the fraudulent domains impersonated toll services, and more than 28,000 impersonated the US Postal Service (USPS).
Other domains impersonated a consumer electronics company, a financial services firm, government services such as the IRS and US state vehicle departments, mail and delivery services, police forces, carpooling applications, hospitality services, personal cloud services, online games, and marketplaces for in-game skins. “We advise people to exercise vigilance and caution. People should treat any unsolicited messages from unknown senders with suspicion. We recommend that people verify any request that demands urgent action using the official service provider’s website or application,” Palo Alto Networks notes.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.securityweek.com/massive-china-linked-smishing-campaign-leveraged-194000-domains/
Comments