The monitoring and analysis of vulnerability exploitations are among the primary responsibilities of Sekoia.io’s Threat Detection & Research (TDR) team. Using our honeypots, we monitor traffic targeting various edge devices and internet-facing applications.
On 22 July 2025, suspicious network traces were observed via our honeypots. The analysis revealed that a cellular router’s API was exploited to send malicious SMS messages containing phishing URLs, an attack that leverages SMS as a delivery vector for phishing, often categorized under smishing tactics.
The various messages examined strongly suggest that Belgium is being specifically targeted, as phishing URLs impersonate legitimate services such as CSAM and Ebox consistently feature the Belgium country code.[1]
Using the Shodan search engine, analysts identified over 18,000 routers of this type as accessible on the public internet, with at least 572 potentially vulnerable. Moreover, the API enables retrieval of both incoming and outgoing SMS messages, which indicates that the vulnerability has been actively exploited to disseminate malicious SMS campaigns since at least February 2022.
Further examination of the sent messages confirms a deliberate focus on Belgian recipients. However, instances targeting France were also observed. Analyzing the phishing URLs enabled Sekoia to identify and track the attacker’s infrastructure, which appears to primarily target Belgian users. The below report presents an analysis of the attacker’s method to distribute malicious SMS messages. Additionally, it shares insights into the adversary’s infrastructure.
[1] https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/
Link to the full report: IR-25-280-001_SilentSchmishing.pdf
Comments