Unknown danger actors have been abusing Mylite Industrial Cellular Routers to send SMS messages as part of a smoothing campaign targeting users in European countries since February 2022.
French Cyber Security Company Sekoya said that the attackers are exploiting APIs of cellular router to send malicious SMS messages containing Fishing URL, mainly using typoscated URL using typoscated URLs with campaigns that target Sweden, Italy and Belgium which are CSAM and Ebox, with EBOX, as well as postal, postal, postal, postal, postal, postal, postal, postal, Postal, postal, postal, postal, postal.
Out of this type of 18,000 routers accessible on public internet, less than 572 is evaluated to be potentially weak due to highlighting inbox/outbox API. About half of the identified weakened routers are located in Europe.
“In addition, API enables the recovery of both the incoming and outgoing SMS messages, which indicates that vulnerability has been actively exploited to broadcast malicious SMS campaigns since at least February 2022,” the company said. “There is no evidence of any attempt to install the backdoor or take advantage of other weaknesses on the device. This suggests a target approach, especially aligned with the commemoration operation of the attacker.”
It is believed that the attackers are now exploiting ripe information disclosure defects, which affects the Melite routers (CVE-2023-43261, CVSS score: 7.5), exploiting defects, which was revealed by security researcher Bipin Jeetia two years ago. Later later, Vulnchec revealed that vulnerability could be made weapons in the wild immediately after public disclosure.
Further investigation has revealed that some industrial routers highlight the characteristics related to SMS, including sending messages or looking at SMS history, without the need for authentication of any form.
The attacks include an initial verification phase, where the danger actors try to verify whether a router can send an SMS message by targeting the phone number under their control. Sekoya further stated that API may also be publicly accessible due to misunderstandings, given that some routers have been found to run recent firmware versions that are not susceptible to CVE -2023–43261.
The Fishing URL distributed using this method includes JavaScript that checks that the page is being accessed from a mobile device before serving malicious materials, which in turn urges users to update their banking information for alleged reimbursement.
What’s more, one of the domains used in campaigns between January and April 2025 – JNSI[.]XYZ-JavaScript code to disable right-click actions and browser debugging tools in an attempt to obstruct analysis efforts. Some pages have also been found to log for visitor connections for a telegram bot called Gruzbot, operated by an actor named “Gro_Oza”, who appears to be both Arabic and French.
Sekoya said, “The smoching campaign is organized through the exploitation of the weak cellular router – a relatively upright, yet effective, delivery vector,” said Sekoya. “These devices are specifically appealing to danger actors because they enable decentralized SMS distribution in many countries, both detecting and complicating Tekdown efforts.”
