431/68 Wednesday, October 29, 2025
Palo Alto Networks has issued a warning about a large-scale SMS phishing (smishing) campaign linked to Chinese-speaking threat actors. The operation, which began in April 2024 and continues to this day, has leveraged more than 194,000 fraudulent domains impersonating various organizations and services. These include toll payment systems, parcel delivery services, healthcare agencies, banks, cryptocurrency platforms, e-commerce sites, law enforcement authorities, and social media platforms – all designed to lure victims into clicking malicious links and submitting personal data such as Social Security numbers or financial information.
The campaign is described as highly decentralized, with no central point of control, and involves the rotation of large numbers of new domains each week, making detection difficult. Palo Alto Networks reports that attackers rely on diverse infrastructure, including multiple hosting providers and decentralized domain management systems. Victims are spread globally, including in the U.S., Canada, Australia, Germany, France, the U.K., Mexico, Russia, Malaysia, and other countries. The group behind the campaign, known as the Smishing Triad, has been active since 2023 and previously targeted iPhone users via iMessage by impersonating “India Post.” The group is also known for promoting a phishing kit called “Lighthouse” designed to attack banks in the Asia-Pacific region.
Researchers believe this campaign operates under a Phishing-as-a-Service (PhaaS) model, involving collaboration among multiple specialists: domain sellers, hosting providers, phishing kit developers, SMS spammers, and support teams that validate active phone numbers and domains. More than 82.6% of the domains used were less than two weeks old, with nearly 30% disappearing within two days. Over 90,000 domains impersonated toll collection services, while more than 28,000 domains mimicked the United States Postal Service (USPS), underscoring the scale and sophistication of this ongoing fraudulent network.
Source https://www.securityweek.com/massive-china-linked-smishing-campaign-leveraged-194000-domains/
