![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgc4D_INO1jh6PECfBBx_gyROybG6I1e1BUQLpwGYP1rSiZL7JqX2S2IxzWGs0NvDDI1AKJIHp6Lr6oX7YCt0Sfz-scRv2Y4TNJ7091ffHmKdj5aMcIldD-X8snwmwsk_SOYtd8QZ2YlfwwQlPGlUHDUmqCsCUMMk0-dRwRNbVDDRd0gemFeOOCkL8ZGqdZ/s790-rw-e365/phishing.jpg\")
The ongoing smishing campaign, attributed to the Smishing Triad, has utilized over 194,000 malicious domains since January 1, 2024, targeting various services globally, as per new research from Palo Alto Networks Unit 42.
Security researchers Reethika Ramesh, Zhanhao Chen, Daiping Liu, Chi-Wei Liu, Shehroze Farooqi, and Moe Ghasemisharif revealed that the attack infrastructure, although registered through a Hong Kong-based registrar and Chinese nameservers, is primarily hosted on popular U.S. cloud services.
The Smishing Triad group, linked to China, is known for inundating mobile devices with fake toll violation and package misdelivery notices to deceive users into sharing sensitive information, resulting in over $1 billion in profits over the past three years.
In a recent report, Fortra highlighted the use of phishing kits associated with the Smishing Triad to increasingly target brokerage accounts for banking credentials and authentication codes, witnessing a significant rise in attacks in the second quarter of 2025 compared to the same period last year.
These attacks involve manipulating stock market prices through ‘ramp and dump’ tactics, leaving minimal traces and heightening financial risks, according to security researcher Alexis Ober.
The Smishing Triad has evolved into a highly active community, encompassing various threat actors who play vital roles in the phishing-as-a-service (PhaaS) ecosystem.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMy42RKi42XlBmRdK9HDVY9_gIyVeBXItvz-8K5_0IknPVQRqVKC_75JZ1qhLyIvZKSbjM_O2RJzo8Qbb8IpTTX-jbXAYAKWIPJSklXVRvfj1VCXzqfknu0Cd6YFj0oji-Jbt40cozTx7_UxhLVfolkZHRjjB4LzHLbIjvnQcXxXmYAIoBCHbOzA8OS4zW/s790-rw-e365/sms.jpg\") |
| The PhaaS ecosystem of the Smishing Triad |
Unit 42’s analysis indicates that a majority of the root domains are registered under Dominet (HK) Limited, with a significant number of domains being active for very short periods, demonstrating a strategy of continuous domain registration to evade detection.
The campaign has utilized a large number of fully qualified domain names (FQDNs) resolving to numerous IP addresses, predominantly in the U.S. and hosted on Cloudflare (AS13335).
![\"CIS](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6GpYnSEVgX-9xu8f-VEj7xbwYz7E6zxE6xL0Mfd6tE2wQ213wwvT8vkv9eqwMuEfEQllm8YJQUQglXFcA0kr6LlEYLvq7Lskyu5defaNo2Xq02wIg4tsGvkRuvj2DsW6rc3rfqDiqjQ3PolYAj0VqrBW2E7d70thPArHjR2RGL_UIVsJS0H_kmMOqjk9t/s728-rw-e100/cis-d.png\")
The phishing campaigns have impersonated a wide range of services, including banks, cryptocurrency exchanges, mail services, police forces, and more, with a global reach and a highly decentralized nature.
In government service impersonation attacks, users are often redirected to pages claiming unpaid tolls or service charges, sometimes using ClickFix lures to execute malicious code under the guise of completing a CAPTCHA check.
The Smishing Triad’s smishing campaign is extensive and diverse, targeting various sectors and services across different countries, with attackers constantly registering and cycling through new domains to avoid detection.
