423/68 Monday, October 27, 2025
Researchers from Palo Alto Networks Unit 42 have uncovered evidence of a large-scale, ongoing smishing (SMS phishing) operation tied to a China-based threat actor group known as the “Smishing Triad.” The group has been linked to more than 194,000 malicious domains. Since January 1, 2024, the group has been distributing fraudulent text messages impersonating toll violation notices and package misdelivery alerts to countless mobile devices. These lures are designed to pressure victims into taking immediate action and submitting sensitive personal information. According to a recent report by The Wall Street Journal, these campaigns have generated over $1 billion in illicit profits over the past three years.
Infrastructure analysis reveals that while the majority of domains (68.06%) were registered through Hong Kong-based registrars and leveraged Chinese nameservers, the core attack infrastructure was hosted on U.S.-based cloud services. A key tactic of the campaign is rapid domain churn, with 71.3% of domains lasting less than a week before being replaced to evade detection. The most frequently spoofed service is the U.S. Postal Service (USPS), with toll-related services being the most commonly impersonated category.
The Smishing Triad has evolved from a simple phishing kit provider into a full-scale Phishing-as-a-Service (PhaaS) operation involving multiple stakeholders-including phishing kit developers, data brokers (selling target phone numbers), domain resellers, hosting providers, and spammers. A report from Fortra noted that the group’s phishing kits have been increasingly used to target brokerage accounts, with activity rising fivefold. The attackers steal banking credentials and two-factor authentication codes before executing “ramp and dump” schemes (artificially inflating stock prices before selling off), creating major financial risks.
Unit 42 concluded that this is a global campaign with targets across multiple industries, not limited to the U.S. The group’s strategy of daily domain rotation and cross-sector impersonation makes detection and long-term disruption particularly challenging.
Source https://thehackernews.com/2025/10/smishing-triad-linked-to-194000.html
