The threat actors behind a massive ongoing smishing campaign have been responsible for more than 194,000 malicious domains targeting a wide range of services around the world since January 1, 2024, according to new findings from Palo Alto Networks Unit 42.
“Although these domains are registered through a Hong Kong-based registrar and use Chinese nameservers, the attack infrastructure is primarily hosted on popular US cloud services,” said security researchers Rithika Ramesh, Zhanhao Chen, Daping Liu, Chi-Wei Liu, Shehroz Farooqui and Mo Ghasemishrif.
The activity has been attributed to a group linked to China known as Smishing TriadWhich is known to flood mobile devices with fraudulent toll violations and package misdelivery notices to trick users into taking immediate action and providing sensitive information.
These campaigns have proven lucrative, earning threat actors more than $1 billion over the past three years, according to a recent report from The Wall Street Journal.
In a report published earlier this week, Fortra said phishing kits associated with the Smishing Triad are being increasingly used to target brokerage accounts to obtain banking credentials and authentication codes, with attacks targeting these accounts seeing a five-fold increase in the second quarter of 2025 compared to the same period last year.
“Once compromised, the attackers manipulate stock market prices using a ‘ramp and dump’ strategy,” said security researcher Alexis Ober. “These methods leave almost no paper trail, further exacerbating the financial risks posed by this threat.”
The adversary group is said to have evolved from a dedicated phishing kit provider into a “highly active community” that brings together different threat actors, each of whom plays a key role in the phishing-as-a-service (PhaaS) ecosystem.
This includes phishing kit developers, data brokers (who sell target phone numbers), domain vendors (who register disposable domains to host phishing sites), hosting providers (who provide servers), spammers (who distribute messages to mass victims), liveness scanners (who validate phone numbers), and blocklist scanners. (which check phishing domains against known blocklists for rotation).
|
| Step Ecosystem of the Smishing Triad |
Unit 42’s analysis showed that of the 136,933 root domains, approximately 93,200 (68.06%) are registered under Hong Kong-based registrar Dominate (HK) Limited. There are a large number of domains with the “com” prefix, although there has been an increase in registrations of “gov” domains in the last three months.
Of the domains identified, 39,964 (29.19%) were active for two days or less, 71.3% of them were active for less than a week, 82.6% of them were active for two weeks or less, and less than 6% had a lifetime longer than the first three months of their registration.
“This rapid churn clearly demonstrates that the campaign’s strategy relies on a constant cycle of newly registered domains to avoid detection,” the cybersecurity company said, adding that 194,345 fully qualified domain names (FQDNs) were used across 43,494 unique IP addresses, the majority of which are in the US and hosted on Cloudflare (AS13335).
Some other main aspects of infrastructure analysis are below –
- The US Postal Service (USPS) is the most heavily cloned service, with 28,045 FQDNs.
- With approximately 90,000 dedicated phishing FQDNs, campaigns using the lure of toll services are the most commonly modeled category.
- The attack infrastructure for the domains generating the highest amount of traffic is located in the US, followed by China and Singapore.
- The campaigns have copied banks, cryptocurrency exchanges, mail and delivery services, police forces, state-owned enterprises, electronic tolls, carpooling applications, hospitality services, social media and e-commerce platforms in Russia, Poland and Lithuania.
In phishing campaigns impersonating government services, users are often redirected to landing pages that claim unpaid tolls and other service charges, in some cases even luring ClickFix into running malicious code under the pretext of completing a CAPTCHA check.
“Smishing operations impersonating US toll services are no different,” Unit 42 said. “Instead it is a large-scale campaign with global reach, impersonating multiple services in different regions. The threat is highly decentralized. Attackers are registering and churning through thousands of domains per day.”
