The threat actors behind a large-scale, ongoing smishing campaign have been attributed to more than 194,000 malicious domains since January 1, 2024, targeting a broad range of services across the world, according to new findings from Palo Alto Networks Unit 42.
“Although these domains are registered through a Hong Kong-based registrar and use Chinese nameservers, the attack infrastructure is primarily hosted on popular U.S. cloud services,” security researchers Reethika Ramesh, Zhanhao Chen, Daiping Liu, Chi-Wei Liu, Shehroze Farooqi, and Moe Ghasemisharif said.
The activity has been attributed to a China-linked group known as the Smishing Triad, which is known to flood mobile devices with fraudulent toll violation and package misdelivery notices to trick users into taking immediate action and providing sensitive information.
These campaigns have proven to be lucrative, allowing the threat actors to make more than $1 billion over the last three years, according to a recent report from The Wall Street Journal.
In a report published earlier this week, Fortra said phishing kits associated with the Smishing Triad are being used to increasingly target brokerage accounts to obtain banking credentials and authentication codes, with attacks targeting these accounts witnessing a fivefold jump in the second quarter of 2025 compared to the same period last year.
“Once compromised, attackers manipulate stock market prices using ‘ramp and dump’ tactics,” security researcher Alexis Ober said. “These methods leave almost no paper trail, further heightening the financial risks that arise from this threat.”
The adversarial collective is said to have evolved from a dedicated phishing kit purveyor into a “highly active community” that brings together disparate threat actors, each of whom plays a crucial role in the phishing-as-a-service (PhaaS) ecosystem.
This includes phishing kit developers, data brokers (who sell target phone numbers), domain sellers (who register disposable domains for hosting the phishing sites), hosting providers (who provide servers), spammers (who deliver the messages to victims at scale), liveness scanners (who validate phone numbers), and blocklist scanners (who check the phishing domains against known blocklists for rotation).
The PhaaS ecosystem of the Smishing Triad
Unit 42’s analysis has revealed that nearly 93,200 of the 136,933 root domains (68.06%) are registered under Dominet (HK) Limited, a registrar based in Hong Kong. Domains with the prefix “com” account for a significant majority, although there has been an increase in the registration of “gov” domains in the past three months.
Of the identified domains, 39,964 (29.19%) were active for two days or less, 71.3% of them were active for less than a week, 82.6% of them were active for two weeks or less, and less than 6% had a lifespan beyond the first three months of their registration.
“This rapid churn clearly demonstrates that the campaign’s strategy relies on a continuous cycle of newly registered domains to evade detection,” the cybersecurity company noted, adding the 194,345 fully qualified domain names (FQDNs) used in the resolve to as many as 43,494 unique IP addresses, most of which are in the U.S. and hosted on Cloudflare (AS13335).
Some of the other salient aspects of the infrastructure analysis are below –
- The U.S. Postal Service (USPS) is the single most impersonated service with 28,045 FQDNs.
- Campaigns using toll services lures are the most impersonated category, with about 90,000 dedicated phishing FQDNs.
- The attack infrastructure for domains generating the largest volume of traffic is located in the U.S., followed by China and Singapore.
- The campaigns have mimicked banks, cryptocurrency exchanges, mail and delivery services, police forces, state-owned enterprises, electronic tolls, carpooling applications, hospitality services, social media, and e-commerce platforms in Russia, Poland, and Lithuania.
In phishing campaigns impersonating government services, users are often redirected to landing pages that claim unpaid toll and other service charges, in some cases even leveraging ClickFix lures to trick them into running malicious code under the pretext of completing a CAPTCHA check.
“The smishing campaign impersonating U.S. toll services is not isolated,” Unit 42 said. “It is instead a large-scale campaign with global reach, impersonating many services across different sectors. The threat is highly decentralized. Attackers are registering and churning through thousands of domains daily.”
