A sophisticated text message phishing campaign originating from China has emerged as one of the most extensive cybersecurity threats targeting users worldwide.
The operation, attributed to a threat collective known as the Smishing Triad, represents a massive escalation in SMS-based fraud, impersonating services across banking, healthcare, law enforcement, e-commerce, and government sectors.
What began as isolated incidents of toll violation notices has evolved into a coordinated global campaign affecting users in over 121 countries.
Palo Alto Networks analysts identified the campaign’s unprecedented scale through comprehensive threat intelligence gathering.
Their research uncovered 194,345 fully qualified domain names spanning 136,933 root domains registered since January 2024.
The attack infrastructure demonstrates remarkable sophistication, with threat actors registering and cycling through thousands of domains daily to evade detection mechanisms.
The majority of these domains flow through Dominet (HK) Limited, a Hong Kong-based registrar, while utilizing Chinese nameservers for DNS infrastructure.
However, the actual hosting infrastructure concentrates within U.S. cloud services, particularly within autonomous system AS13335 on the 104.21.0.0/16 subnet.
The campaign’s delivery mechanisms have undergone significant transformation. Early attacks employed email-to-SMS features through iMessage, but threat actors have recently transitioned to direct phone number-based delivery.
.webp "New Text Message Based Phishing Attack from China Targeting Users Around the Globe 3")
Messages predominantly originate from Philippine international codes (+63) and U.S. numbers (+1), creating an illusion of legitimacy.
The phishing messages themselves employ sophisticated social engineering tactics, incorporating targeted personal information and technical jargon to establish urgency and credibility.
Palo Alto Networks researchers noted that the operation functions as a comprehensive Phishing-as-a-Service ecosystem operating through Telegram channels.
Analysis of the Smishing Triad’s communication networks revealed a highly specialized supply chain with distinct roles.
Data brokers sell target phone numbers, domain sellers register disposable domains, and hosting providers maintain backend infrastructure.
Phishing kit developers create frontend interfaces and credential harvesting dashboards, while SMS spammers deliver messages at scale.
Supporting roles include liveness scanners verifying active phone numbers and blocklist scanners monitoring domain reputation to trigger rapid asset rotation.
Underground Infrastructure and Domain Lifecycle
The campaign’s infrastructure exhibits remarkable resilience through decentralization and rapid domain cycling.
Palo Alto Networks analysts observed that 29.19 percent of domains remain active for two days or less, with 71.3 percent lasting under one week.
Domain naming conventions typically follow hyphenated string patterns like gov-addpayment.info or com-posewxts.top, deliberately crafted to deceive casual inspection.
The Telegram chat records shows various underground service providers competing within the PhaaS ecosystem.
While the interconnected infrastructure reveals how 90 different root domains route through concentrated IP address clusters within Cloudflare’s network infrastructure.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
