{"id":3643,"date":"2025-11-25T19:28:22","date_gmt":"2025-11-25T19:28:22","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/11\/25\/smishing-triad-impersonation-campaigns-expand-globally\/"},"modified":"2025-11-25T19:28:22","modified_gmt":"2025-11-25T19:28:22","slug":"smishing-triad-impersonation-campaigns-expand-globally","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/11\/25\/smishing-triad-impersonation-campaigns-expand-globally\/","title":{"rendered":"Smishing Triad Impersonation Campaigns Expand Globally"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-457ac981-8d54-401f-bf56-7ce196de2d83\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A growing cluster of fraudulent domains impersonating major Egyptian service providers, including Fawry, Egypt Post and Careem, has been identified during a recent threat-hunting operation.<\/p>\n<p>The discovery by Dark Atlas points to an expanding campaign run by the Smishing Triad, a Chinese-speaking cybercrime\u00a0group known for large-scale SMS phishing operations.<\/p>\n<p>These domains appear designed to support fraud and data-harvesting schemes aimed at both individuals and organizations.<\/p>\n<h2>New Malicious Domains<\/h2>\n<p>New malicious domains were uncovered after analysts examined HTTP headers from the group\u2019s infrastructure and used those indicators to run targeted searches on Shodan.<\/p>\n<p>The process exposed additional domains mimicking global brands and financial platforms, particularly within AS132203, an infrastructure block linked to Tencent\u2019s facilities.<\/p>\n<p>Analysts found that the same network space is being used to host pages spoofing UnionPay, TikTok and other services, illustrating how broadly the Triad relies on shared hosting resources.<\/p>\n<p><em>Read more on global smishing trends: Smishing Triad Upgrades Tools and Tactics for Global Attacks<\/em><\/p>\n<p>The investigation also highlighted the group\u2019s reliance on Telegram to promote and sell its phishing-as-a-service offerings.<\/p>\n<p>Older Telegram channels led analysts to a video from a member identified as \u201cwangduoyu8,\u201d\u00a0demonstrating the group\u2019s customizable smishing kit. These kits can be rapidly deployed to virtual servers, automatically unpacking and configuring phishing templates that target victims across multiple regions.<\/p>\n<p>The kits include international templates that mimic well-known brands. Examples identified in the investigation include:<\/p>\n<ul>\n<li>\n<p>Fake delivery notifications imitating DHL, Evri and UPS<\/p>\n<\/li>\n<li>\n<p>Telecom billing alerts resembling AT&#038;T, Movistar and Vodafone<\/p>\n<\/li>\n<li>\n<p>Government and postal service messages linked to USPS, GOV.UK and Egypt Post<\/p>\n<\/li>\n<\/ul>\n<h2>Rising Competition From Darcula<\/h2>\n<p>A separate but related development, detailed in the same Dark Atlas advisory, involves Darcula, a large-scale PhaaS platform operating more than 20,000 spoofed domains across 100 countries.<\/p>\n<p>Netcraft reports that an upgraded version, Darcula 3.0, introduced anti-detection features, an enhanced admin panel, a card-cloning tool and AI-driven automation that allows operators to build phishing pages with a single click. Analysts warn that these upgrades will likely drive higher phishing volumes.<\/p>\n<p>According to the research team, both the Smishing Triad and emerging PhaaS services like Darcula demonstrate the increasing sophistication of global phishing operations.<\/p>\n<p>\u201cOur investigation underscores the importance of proactive threat hunting, continuous monitoring of phishing infrastructure\u00a0and user awareness to mitigate the risks posed by these campaigns,\u201d\u00a0Dark Atlas warned.<\/p>\n<p>\u201cAs cyber-criminals continue to innovate, understanding their tactics, techniques and procedures is essential for building resilient defenses and protecting sensitive information worldwide.\u201d<\/p>\n<\/p><\/div>\n<p>Image credit: Tamar A Soliman \/ Shutterstock.com<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A growing cluster of fraudulent domains impersonating major Egyptian service providers, including Fawry, Egypt Post and Careem, has been identified during a recent threat-hunting operation. The discovery by Dark Atlas points to an expanding campaign run by the Smishing Triad, a Chinese-speaking cybercrime\u00a0group known for large-scale SMS phishing operations. These domains appear designed to support<\/p>\n","protected":false},"author":2,"featured_media":3644,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3643","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3643-7c1b8445-81fb-409e-b3fe-e56e41e4424f.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3643-7c1b8445-81fb-409e-b3fe-e56e41e4424f-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3643-7c1b8445-81fb-409e-b3fe-e56e41e4424f.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3643-7c1b8445-81fb-409e-b3fe-e56e41e4424f.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3643-7c1b8445-81fb-409e-b3fe-e56e41e4424f.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3643-7c1b8445-81fb-409e-b3fe-e56e41e4424f.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3643-7c1b8445-81fb-409e-b3fe-e56e41e4424f.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3643-7c1b8445-81fb-409e-b3fe-e56e41e4424f.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3643-7c1b8445-81fb-409e-b3fe-e56e41e4424f.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3643-7c1b8445-81fb-409e-b3fe-e56e41e4424f.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3643-7c1b8445-81fb-409e-b3fe-e56e41e4424f-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3643"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3643\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3644"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3643"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}