Smishing Triad Impersonation Campaigns Expand Globally
Summary:
Dark Trace’s threat-hunting team uncovered a cluster of malicious domains impersonating major Egyptian services, including Fawry, Egypt Post, and Careem, all linked to the Smishing Triad, a Chinese-speaking cybercriminal group known for global, high-volume SMS-based phishing. The identified infrastructure, largely hosted in AS132203, supports a wide range of fraudulent sites spoofing government services, logistics companies, financial institutions, and telecom providers. Analysis of HTTP headers and Shodan fingerprinting enabled us to expand the domain list far beyond Egypt, revealing identical kits deployed across multiple regions. Infrastructure reuse shows a pattern of shared hosting for phishing pages impersonating UnionPay, TikTok, postal systems, and additional service providers.
Further investigation led into the Smishing Triad’s operational ecosystem, which relies heavily on Telegram for distributing, customizing, and selling their phishing-as-a-service (PhaaS) offerings. Their “Panda” kit and related tooling support rapid deployment, global brand impersonation, and automated harvesting of PII at scale.Concurrently, Dark Trace observed advancements in the broader PhaaS landscape, particularly with the rise of Darcula 3.0, a next-generation, AI-driven platform that can auto-generate phishing kits, bypass detection mechanisms, and centralize credential harvesting. These developments signal a continued increase in smishing volume and sophistication.
Security Officer Comments:
The observed activity reflects the Smishing Triad’s continued focus on impersonating trusted financial, postal, and telecommunications brands to optimize credential theft and payment fraud at scale. The heavy clustering of malicious domains within AS132203 highlights the group’s reliance on permissive or lightly monitored hosting environments, enabling them to rapidly deploy and rotate phishing infrastructure with minimal operational friction. Their use of Telegram for distributing PhaaS kits, templates, and support mirrors a broader criminal shift toward encrypted platforms that centralize marketing, customer onboarding, and infrastructure management.
Suggested Corrections:
Enhance SMS Filtering & Network Controls: Deploy carrier-grade SMS filtering, URL sandboxing, and ML-based detection tuned for high-risk financial and postal impersonation patterns.
Block Known Infrastructure & Monitor AS132203: Proactively block malicious domains/IPs associated with this AS and continuously monitor for new phishing deployments reusing similar fingerprints.
Harden User Authentication: Prioritize phishing-resistant MFA (FIDO2/WebAuthn), minimize SMS-based verification, and enforce strong session-token binding to reduce credential replay risks.
Increase User Awareness & Brand-Specific Training: Focus awareness campaigns on smishing trends involving postal delays, delivery fees, and account-verification messages—particularly for Fawry, Egypt Post, and ride-hailing impersonation.
Monitor Telegram for PhaaS Activity: Track known Smishing Triad and Darcula-linked Telegram groups for kit updates, new templates, distribution changes, and shifts in targeting strategy.
Link(s):
https://www.infosecurity-magazine.com/news/smishing-triad-campaigns-expand/
Dark Trace’s threat-hunting team uncovered a cluster of malicious domains impersonating major Egyptian services, including Fawry, Egypt Post, and Careem, all linked to the Smishing Triad, a Chinese-speaking cybercriminal group known for global, high-volume SMS-based phishing. The identified infrastructure, largely hosted in AS132203, supports a wide range of fraudulent sites spoofing government services, logistics companies, financial institutions, and telecom providers. Analysis of HTTP headers and Shodan fingerprinting enabled us to expand the domain list far beyond Egypt, revealing identical kits deployed across multiple regions. Infrastructure reuse shows a pattern of shared hosting for phishing pages impersonating UnionPay, TikTok, postal systems, and additional service providers.
Further investigation led into the Smishing Triad’s operational ecosystem, which relies heavily on Telegram for distributing, customizing, and selling their phishing-as-a-service (PhaaS) offerings. Their “Panda” kit and related tooling support rapid deployment, global brand impersonation, and automated harvesting of PII at scale.Concurrently, Dark Trace observed advancements in the broader PhaaS landscape, particularly with the rise of Darcula 3.0, a next-generation, AI-driven platform that can auto-generate phishing kits, bypass detection mechanisms, and centralize credential harvesting. These developments signal a continued increase in smishing volume and sophistication.
Security Officer Comments:
The observed activity reflects the Smishing Triad’s continued focus on impersonating trusted financial, postal, and telecommunications brands to optimize credential theft and payment fraud at scale. The heavy clustering of malicious domains within AS132203 highlights the group’s reliance on permissive or lightly monitored hosting environments, enabling them to rapidly deploy and rotate phishing infrastructure with minimal operational friction. Their use of Telegram for distributing PhaaS kits, templates, and support mirrors a broader criminal shift toward encrypted platforms that centralize marketing, customer onboarding, and infrastructure management.
Suggested Corrections:
Enhance SMS Filtering & Network Controls: Deploy carrier-grade SMS filtering, URL sandboxing, and ML-based detection tuned for high-risk financial and postal impersonation patterns.
Block Known Infrastructure & Monitor AS132203: Proactively block malicious domains/IPs associated with this AS and continuously monitor for new phishing deployments reusing similar fingerprints.
Harden User Authentication: Prioritize phishing-resistant MFA (FIDO2/WebAuthn), minimize SMS-based verification, and enforce strong session-token binding to reduce credential replay risks.
Increase User Awareness & Brand-Specific Training: Focus awareness campaigns on smishing trends involving postal delays, delivery fees, and account-verification messages—particularly for Fawry, Egypt Post, and ride-hailing impersonation.
Monitor Telegram for PhaaS Activity: Track known Smishing Triad and Darcula-linked Telegram groups for kit updates, new templates, distribution changes, and shifts in targeting strategy.
Link(s):
https://www.infosecurity-magazine.com/news/smishing-triad-campaigns-expand/