The monitoring and analysis of vulnerability exploitations are among the primary responsibilities of Sekoia.io’s Threat Detection & Research (TDR) team.
Using honeypots, the team monitors traffic targeting edge devices and internet-facing applications.
On 22 July 2025, suspicious network traces appeared in our honeypots, reveals that a cellular router’s API was exploited to deliver smishing campaigns via malicious SMS messages containing phishing URLs.
Analysis indicates a focused targeting of Belgium, with attacks impersonating services such as CSAM and eBox and utilizing the +32 country code.
Logs from Milesight Industrial Cellular Router honeypots revealed POST requests to the /cgi endpoint with JSON payloads explicitly used to send SMS messages.
Traces began in late June 2025—shortly after these honeypots were deployed—and originated exclusively from IP address 212.162.155[.]38 within AS Podaon SIA.
Extracted messages were written in Dutch or French, targeted Belgian numbers (+32), and used typosquatted domains of official Belgian services.
No evidence of backdoors or other device exploitation was observed, indicating an operation solely aimed at SMS-based phishing.
Vulnerability Overview
The logs showed use of a valid authentication cookie, though the password could not be decrypted using AES keys from CVE-2023-43261 exploitation methods.
A Medium post by Biptin Jitiya detailed that several Milesight routers exposed encrypted admin credentials and sensitive logs via HTTP.
However, our tests uncovered that many routers allow unauthenticated access to SMS features, enabling attackers to retrieve inbox/outbox data or send messages without authentication.
Unauthenticated POST requests to /cgi using parameters like query_outbox or query_inbox produce JSON objects with timestamps, message content, recipient numbers, and status indicators (success or failed).
A high volume of “failed” statuses suggests attackers first test routers against phone numbers they control before launching mass campaigns—an operational fingerprint that may aid in clustering and detection.
Scope of Vulnerable Assets
A Shodan search identified over 19,000 Milesight Industrial Cellular Routers exposed on the public internet—nearly half located in Australia, with France and Turkey also heavily represented.
Of 6,643 checked devices, 572 permitted unauthenticated API access, many running outdated firmware (32.2.x.x, 32.3.x.x).
Europe accounts for nearly half of vulnerable routers, facilitating reliable SMS delivery to European phone numbers and explaining the disproportionate targeting of that region.
Smishing campaigns exploiting this vulnerability date back to February 2022. Collected SMS samples clustered by campaign reveal simultaneous mass messaging to 42,044 Swedish and 31,353 Italian numbers, while Belgian and French targets faced repeated, distinct campaigns.
Belgian messages impersonated CSAM and eBox, offering fake notifications requiring immediate attention via malicious links.
French campaigns mimicked services such as Ameli, La Poste, GLS, and Crédit Agricole, using varied pretexts from health card renewals to banking security alerts.
Phishing Infrastructure
The attacker’s infrastructure relies on domains registered through NameSilo and hosting by Podaon SIA. In Belgium-focused campaigns, domains like csam.ebox-login[.]xyz and ebox.csam-trust[.]xyz resolved to Podaon IPs and remain active.
![ebox.csam-trust[.]xyz url scan analysis.](https://gbhackers.com/wp-content/uploads/2025/09/image5-1024x461-1.png)
Phishing pages check for mobile environments via a JavaScript “detect_device.js” to evade desktop sandboxes.
Broader campaigns used the jnsi[.]xyz domain cluster under Russian AS211860, impersonating services from Netflix to Telia, with obfuscated scripts (GroozaV2) hindering analysis.
This campaign underscores how simple, accessible infrastructure—vulnerable cellular routers—can be weaponized for highly effective smishing operations at scale.
By decentralizing SMS distribution across multiple countries, attackers evade detection and sustain profitable phishing campaigns.
Continued vigilance is critical: users must scrutinize unsolicited messages, especially those with shortened URLs, urgent language, or grammatical errors. Awareness and skepticism remain the first line of defense against evolving smishing threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
