2025-04-10 Smishing Triad Chinese eCrime Group Targets 121+ Countries, Introduces New Banking Phishing Kit

📃Title: Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Introduces New Banking Phishing Kit
📅Date: 2025-04-10
🔗References:

• https://www.silentpush.com/blog/smishing-triad

Description

The Chinese eCrime group Smishing Triad has launched a global SMS phishing campaign targeting over 121 countries across various industries. Their infrastructure generates over one million page visits in 20 days, averaging 50,000 daily. The group has introduced a new ‘Lighthouse’ phishing kit focusing on banking and financial organizations, particularly in Australia and the Asia-Pacific region. Smishing Triad claims to have ‘300+ front desk staff worldwide’ supporting their operations. They frequently rotate domains, with approximately 25,000 active during any 8-day period. The majority of phishing sites are hosted by Chinese companies Tencent and Alibaba. The campaign primarily targets postal, logistics, telecommunications, transportation, finance, retail, and public sectors.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: broad-based
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer Silent-Push
• target-information=“United States”
• target-information=“Argentina”
• target-information=“Australia”
• target-information=“Brazil”
• target-information=“British Indian Ocean Territory”
• target-information=“Canada”
• target-information=“China”
• target-information=“France”
• target-information=“Germany”
• target-information=“India”
• target-information=“Italy”
• target-information=“Japan”
• target-information=“Mexico”
• target-information=“Russia”
• target-information=“South Africa”
• target-information=“Spain”
• target-information=“United Kingdom”
• target-information=“Malaysia”
• mitre-attack-pattern=[‘T1583’, ‘T1566.002’, ‘T1608.004’, ‘T1586.002’, ‘T1583.001’, ‘T1589’, ‘T1585.002’, ‘T1589.002’, ‘T1584’, ‘T1586’, ‘T1608’, ‘T1566’, ‘T1585’, ‘T1584.001’]

MISP event uuid: 81e3d10d-a1e9-463d-8759-a1b878401655

Indicator of Compromise (IoCs)

type,value,comment
md5, 0ffe21b6f2306750e5dac33036a72cb0, 'No sample in VT\r\nLast check:21/04/2025'
md5, 12a853f2e837b036ac706f3d5160aea5, 'No sample in VT\r\nLast check:21/04/2025'
md5, 1965fef6225a1639b0919581e37ab5cf, 'No sample in VT\r\nLast check:21/04/2025'
md5, 1a4f0664da92aa9ca994296084d46e9e, 'No sample in VT\r\nLast check:21/04/2025'
md5, 1fa4c9a05aae4399c4ae72eab37a5cd0, 'No sample in VT\r\nLast check:21/04/2025'
md5, 2326ee2db9d78be59257b9d08be1507a, 'No sample in VT\r\nLast check:21/04/2025'
md5, 386464fffd1b5b5de12fa217fb4c8962, 'No sample in VT\r\nLast check:21/04/2025'
md5, 38cce9d714010a3e43132f1348454461, 'No sample in VT\r\nLast check:21/04/2025'
md5, 44fff7ded89e2c97b6b3797550a69a75, 'No sample in VT\r\nLast check:21/04/2025'
md5, 47c30669b590c5539b01c28f1203dbcc, 'No sample in VT\r\nLast check:21/04/2025'
md5, 5848f96af0da17512255e056da67263d, 'No sample in VT\r\nLast check:21/04/2025'
md5, 5b8f637a20a50f9e5de34bf4fd923e3b, 'No sample in VT\r\nLast check:21/04/2025'
md5, 5e56f6ac37123d152c4f477e40a1a92d, 'No sample in VT\r\nLast check:21/04/2025'
md5, 63c8ae68ffc88607adcb991403aac338, 'No sample in VT\r\nLast check:21/04/2025'
md5, 64c6903fded3bcab9fa069e0a8510868, 'No sample in VT\r\nLast check:21/04/2025'
md5, 6da0a1b3f14c594ca59b2d0f5cbba8c4, 'No sample in VT\r\nLast check:21/04/2025'
md5, 727dba352808dbacf07c64665221a63a, 'No sample in VT\r\nLast check:21/04/2025'
md5, 762c0117f77fc03c666586ca8920f5e4, 'No sample in VT\r\nLast check:21/04/2025'
md5, 7bb31b9ef5f35d816f9bc7a816c800d7, 'No sample in VT\r\nLast check:21/04/2025'
md5, 8617548fca9c005670313f8199c91b54, 'No sample in VT\r\nLast check:21/04/2025'
md5, 8f69a8995d3eb92cb0a35b07d05659e3, 'No sample in VT\r\nLast check:21/04/2025'
md5, 998950a66034565afde5b38b16a2c848, 'No sample in VT\r\nLast check:21/04/2025'
md5, 9a59afcbfc57b19ae71413f2b2d950a0, 'No sample in VT\r\nLast check:21/04/2025'
md5, 9f18375658005abf5ea3ca68bba84fd1, 'No sample in VT\r\nLast check:21/04/2025'
md5, a003e0a196f18d56b5b4ef9622ab8b60, 'No sample in VT\r\nLast check:21/04/2025'
md5, a054771f947814ced1668f9056dda56d, 'No sample in VT\r\nLast check:21/04/2025'
md5, a20e946cd5fc459b3fc24aac7ba63f76, 'No sample in VT\r\nLast check:21/04/2025'
md5, aa568cd0fc3e7c8c6d34511d0dd4e641, 'No sample in VT\r\nLast check:21/04/2025'
md5, b3eae70fa423635b4359de4bd9b59b00, 'No sample in VT\r\nLast check:21/04/2025'
md5, b69b0e9972eb5cd55852c5c4ad86f270, 'No sample in VT\r\nLast check:21/04/2025'
md5, b77c325bbed7cde9ed764e39301a0dfa, 'No sample in VT\r\nLast check:21/04/2025'
md5, cdc89ea9ddff2facd9df0854165e0dc1, 'No sample in VT\r\nLast check:21/04/2025'
md5, d06cf67753097487e2b29d3d0cb47ae7, 'No sample in VT\r\nLast check:21/04/2025'
md5, d6e8d97ca54021f46aae3e4b5fbf3208, 'No sample in VT\r\nLast check:21/04/2025'
md5, e021fa39a227f70c7d74ebc1397ff555, 'No sample in VT\r\nLast check:21/04/2025'
md5, e9c703a4188c3c8355c1529caa76eb1a, 'No sample in VT\r\nLast check:21/04/2025'
md5, f264619a74d8b662e7a695c2563a9bcf, 'No sample in VT\r\nLast check:21/04/2025'
md5, f5aa2599540f5470c5c6db0a9a816988, 'No sample in VT\r\nLast check:21/04/2025'
md5, f6a5c39822bebd1071a30d77b02ca0fd, 'No sample in VT\r\nLast check:21/04/2025'
url, http://splonline.com.sa/ar, ''
domain, address-4-72.top, ''
domain, adffew.top, ''
domain, aiisoi.top, ''
domain, appexpress.top, ''
domain, aramex.bg, ''
domain, aramexaene.com, ''
domain, at-post.icu, ''
domain, auspoust.cc, ''
domain, autopistes.asia, ''
domain, belpost-by.lol, ''
domain, btyzywlp.top, ''
domain, busine.cfd, ''
domain, business-poste.top, ''
domain, canadaapoost.com, ''
domain, ceska-post-a.blog, ''
domain, chamge-a.top, ''
domain, chroonopostfrr.click, ''
domain, clarocloud.com, ''
domain, coeetrttgroup.cfd, ''
domain, com-billsgowkx.xin, ''
domain, cootrut.site, ''
domain, correos.gob.gt, ''
domain, correos.gob.sv, ''
domain, cttpacks.click, ''
domain, dpd-pack.xyz, ''
domain, egiuw.top, ''
domain, eltade.cc, ''
domain, entelclws.top, ''
domain, epgovc.top, ''
domain, estafetau.shop, ''
domain, evriuk.top, ''
domain, ewdfb.top, ''
domain, fexpres.lol, ''
domain, fwedsfg.top, ''
domain, geopostl.cfd, ''
domain, globeefd.top, ''
domain, hanypost.top, ''
domain, hketoll-etc-hk.top, ''
domain, indiapost.top, ''
domain, info-trackingcoi.cc, ''
domain, inposttrack.click, ''
domain, isr-aelpost.sbs, ''
domain, libyapost.ly, ''
domain, lietuvospost.help, ''
domain, m360.com.ph, ''
domain, mapxis.ink, ''
domain, mondialrellay.live, ''
domain, mxups.me, ''
domain, myhermes-at.bond, ''
domain, mys-jtexpres.cyou, ''
domain, nzposst-co.top, ''
domain, phlppovd.top, ''
domain, post-isl.sbs, ''
domain, post-track.help, ''
domain, post-word.top, ''
domain, posta-romanam.cc, ''
domain, postah.cc, ''
domain, posteit.cfd, ''
domain, posten.top, ''
domain, posti-fifi.top, ''
domain, psocygb.xin, ''
domain, serviciopostalgobec.pics, ''
domain, shant.fun, ''
domain, singpposts.top, ''
domain, slpostgovls.xyz, ''
domain, smbc-card.shop, ''
domain, smseexpress.cfd, ''
domain, spl-express.help, ''
domain, telefonica.com.mx, ''
domain, telkomssel.ink, ''
domain, tepco-co-jp.online, ''
domain, thetollroads-errp.top, ''
domain, thetollroadsll.lol, ''
domain, thposto.vip, ''
domain, tigo-gtmc.top, ''
domain, trackwpwy.top, ''
domain, ttspost.sbs, ''
domain, tuyrepost.cc, ''
domain, ukrspack.click, ''
domain, unogmu.icu, ''
domain, usps-packages-dc.com, ''
domain, uspssud.info, ''
domain, uypos.xyz, ''
domain, wbduvn.com, ''
domain, whetf.xin, ''
domain, www-claro.top, ''
domain, yhvxm.icu, ''
domain, yurticikargoy.cyou, ''
domain, za-post-word.top, ''
hostname, ceshi.appexpress.top, ''
hostname, mndot.us-etce.cc, ''
hostname, pagos.correos.go.cr, ''

Full IOCs available in Rectifyq's MISP```