2025-04-10 Smishing Triad Chinese eCrime Group Targets 121+ Countries, Introduces New Banking Phishing Kit| Threat Intelligence Malaysia

📃Title: Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Introduces New Banking Phishing Kit
📅Date: 2025-04-10
🔗References:

https://www.silentpush.com/blog/smishing-triad

Description

The Chinese eCrime group Smishing Triad has launched a global SMS phishing campaign targeting over 121 countries across various industries. Their infrastructure generates over one million page visits in 20 days, averaging 50,000 daily. The group has introduced a new ‘Lighthouse’ phishing kit focusing on banking and financial organizations, particularly in Australia and the Asia-Pacific region. Smishing Triad claims to have ‘300+ front desk staff worldwide’ supporting their operations. They frequently rotate domains, with approximately 25,000 active during any 8-day period. The majority of phishing sites are hosted by Chinese companies Tencent and Alibaba. The campaign primarily targets postal, logistics, telecommunications, transportation, finance, retail, and public sectors.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer= Silent-Push
target-information=“United States”
target-information=“Argentina”
target-information=“Australia”
target-information=“Brazil”
target-information=“British Indian Ocean Territory”
target-information=“Canada”
target-information=“China”
target-information=“France”
target-information=“Germany”
target-information=“India”
target-information=“Italy”
target-information=“Japan”
target-information=“Mexico”
target-information=“Russia”
target-information=“South Africa”
target-information=“Spain”
target-information=“United Kingdom”
target-information=“Malaysia”
mitre-attack-pattern=[‘T1583’, ‘T1566.002’, ‘T1608.004’, ‘T1586.002’, ‘T1583.001’, ‘T1589’, ‘T1585.002’, ‘T1589.002’, ‘T1584’, ‘T1586’, ‘T1608’, ‘T1566’, ‘T1585’, ‘T1584.001’]

MISP event uuid: 81e3d10d-a1e9-463d-8759-a1b878401655

Indicator of Compromise (IoCs)

type,value,comment
md5, 0d738b9111bf58499f057e84b0d6c0f4, ''
md5, 2e7b6d178a0468f6beaf184e854d773e, ''
md5, 34541285068a8cabe10d7393ea68704d, ''
md5, 349246ee336d8b2986e584a4fa436128, ''
md5, 3b1e1a3f7ea2c1ae22748f963728cba6, ''
md5, 3cbac548d46ec7b7794ec1d1ba11ff08, ''
md5, 3ea19204ea4c75da2cff7aff54135c09, ''
md5, 3f0f72ed57a54b97cda500bcf0545efb, ''
md5, 4053dfb4509b7c2d5a3596e2875caab1, ''
md5, 454357104cfcc4afbd9f4274b755bab2, ''
md5, 67ac939271735622b07d41dbcc90300b, ''
md5, 782c9d4b134c4e0b632b67970d23287e, ''
md5, 7d0229599d942f4cef13e6412fe18723, ''
md5, 87eebd70b533b24b2c127e7d113c3b88, ''
md5, 977c05b3d421bc68473bbd5dbf85578e, ''
md5, 9e83ad80e466873a9acc652c194fa5bd, ''
md5, a2dcaabb983ac9e00cd561dba81e63f6, ''
md5, a3765a9d883516fbf9992fb368ab4a45, ''
md5, a53129769d15f251d4e5c5cb966765b4, ''
md5, aa8806968a55f7e5e5202cb59f8b0318, ''
md5, afd13e52f285793f5eaa266c12a19abe, ''
md5, b211f84b21ccbb865ff13decfccfdb3f, ''
md5, b97eafae41beb90b3c3279fb07fdbc45, ''
md5, bd668e3a554306b020c5670b02e70586, ''
md5, bf0b6949346d4fe168245aa2bfc61cfc, ''
md5, c1dd8d14493c54a675ac29031713bfc0, ''
md5, c98cb827ea0cc7939a9083ecd833410e, ''
md5, ca6619b86c2f6e6068b69ba3aaddb7e4, ''
md5, cdf92e329cc12fa614a9b706250d8498, ''
md5, d6d9ecedd59f3418a8425ce5e61e5695, ''
md5, d8106bf3a1d00ab43b01e6e3c92500eb, ''
md5, e219d187a2e604c4feb65b4c8e838ba1, ''
md5, e7a779b2a78738e30ce2056417615a4f, ''
md5, eac1870faf46ea45a318c20563d3cf8f, ''
md5, ed9cb0beb42ed44975095a4f2ca5cf86, ''
md5, f0806fd528a615d286a7f3398be0a002, ''
md5, f6e7b043a102b271d898072e24227356, ''
md5, 0ffe21b6f2306750e5dac33036a72cb0, 'No sample in VT\r\nLast check:21/04/2025'
md5, 12a853f2e837b036ac706f3d5160aea5, 'No sample in VT\r\nLast check:21/04/2025'
md5, 1965fef6225a1639b0919581e37ab5cf, 'No sample in VT\r\nLast check:21/04/2025'
md5, 1a4f0664da92aa9ca994296084d46e9e, 'No sample in VT\r\nLast check:21/04/2025'
md5, 1fa4c9a05aae4399c4ae72eab37a5cd0, 'No sample in VT\r\nLast check:21/04/2025'
md5, 2326ee2db9d78be59257b9d08be1507a, 'No sample in VT\r\nLast check:21/04/2025'
md5, 386464fffd1b5b5de12fa217fb4c8962, 'No sample in VT\r\nLast check:21/04/2025'
md5, 38cce9d714010a3e43132f1348454461, 'No sample in VT\r\nLast check:21/04/2025'
md5, 44fff7ded89e2c97b6b3797550a69a75, 'No sample in VT\r\nLast check:21/04/2025'
md5, 47c30669b590c5539b01c28f1203dbcc, 'No sample in VT\r\nLast check:21/04/2025'
md5, 5848f96af0da17512255e056da67263d, 'No sample in VT\r\nLast check:21/04/2025'
md5, 5b8f637a20a50f9e5de34bf4fd923e3b, 'No sample in VT\r\nLast check:21/04/2025'
md5, 5e56f6ac37123d152c4f477e40a1a92d, 'No sample in VT\r\nLast check:21/04/2025'
md5, 63c8ae68ffc88607adcb991403aac338, 'No sample in VT\r\nLast check:21/04/2025'
md5, 64c6903fded3bcab9fa069e0a8510868, 'No sample in VT\r\nLast check:21/04/2025'
md5, 6da0a1b3f14c594ca59b2d0f5cbba8c4, 'No sample in VT\r\nLast check:21/04/2025'
md5, 727dba352808dbacf07c64665221a63a, 'No sample in VT\r\nLast check:21/04/2025'
md5, 762c0117f77fc03c666586ca8920f5e4, 'No sample in VT\r\nLast check:21/04/2025'
md5, 7bb31b9ef5f35d816f9bc7a816c800d7, 'No sample in VT\r\nLast check:21/04/2025'
md5, 8617548fca9c005670313f8199c91b54, 'No sample in VT\r\nLast check:21/04/2025'
md5, 8f69a8995d3eb92cb0a35b07d05659e3, 'No sample in VT\r\nLast check:21/04/2025'
md5, 998950a66034565afde5b38b16a2c848, 'No sample in VT\r\nLast check:21/04/2025'
md5, 9a59afcbfc57b19ae71413f2b2d950a0, 'No sample in VT\r\nLast check:21/04/2025'
md5, 9f18375658005abf5ea3ca68bba84fd1, 'No sample in VT\r\nLast check:21/04/2025'
md5, a003e0a196f18d56b5b4ef9622ab8b60, 'No sample in VT\r\nLast check:21/04/2025'
md5, a054771f947814ced1668f9056dda56d, 'No sample in VT\r\nLast check:21/04/2025'
md5, a20e946cd5fc459b3fc24aac7ba63f76, 'No sample in VT\r\nLast check:21/04/2025'
md5, aa568cd0fc3e7c8c6d34511d0dd4e641, 'No sample in VT\r\nLast check:21/04/2025'
md5, b3eae70fa423635b4359de4bd9b59b00, 'No sample in VT\r\nLast check:21/04/2025'
md5, b69b0e9972eb5cd55852c5c4ad86f270, 'No sample in VT\r\nLast check:21/04/2025'
md5, b77c325bbed7cde9ed764e39301a0dfa, 'No sample in VT\r\nLast check:21/04/2025'
md5, cdc89ea9ddff2facd9df0854165e0dc1, 'No sample in VT\r\nLast check:21/04/2025'
md5, d06cf67753097487e2b29d3d0cb47ae7, 'No sample in VT\r\nLast check:21/04/2025'
md5, d6e8d97ca54021f46aae3e4b5fbf3208, 'No sample in VT\r\nLast check:21/04/2025'
md5, e021fa39a227f70c7d74ebc1397ff555, 'No sample in VT\r\nLast check:21/04/2025'
md5, e9c703a4188c3c8355c1529caa76eb1a, 'No sample in VT\r\nLast check:21/04/2025'
md5, f264619a74d8b662e7a695c2563a9bcf, 'No sample in VT\r\nLast check:21/04/2025'
md5, f5aa2599540f5470c5c6db0a9a816988, 'No sample in VT\r\nLast check:21/04/2025'
md5, f6a5c39822bebd1071a30d77b02ca0fd, 'No sample in VT\r\nLast check:21/04/2025'
url, http://splonline.com.sa/ar, ''
domain, address-4-72.top, ''
domain, adffew.top, ''
domain, aiisoi.top, ''
domain, appexpress.top, ''
domain, aramex.bg, ''
domain, aramexaene.com, ''
domain, at-post.icu, ''
domain, auspoust.cc, ''
domain, autopistes.asia, ''
domain, belpost-by.lol, ''
domain, btyzywlp.top, ''
domain, busine.cfd, ''
domain, business-poste.top, ''
domain, canadaapoost.com, ''
domain, ceska-post-a.blog, ''
domain, chamge-a.top, ''
domain, chroonopostfrr.click, ''
domain, clarocloud.com, ''
domain, coeetrttgroup.cfd, ''
domain, com-billsgowkx.xin, ''
domain, cootrut.site, ''
domain, correos.gob.gt, ''
domain, correos.gob.sv, ''
domain, cttpacks.click, ''
domain, dpd-pack.xyz, ''
domain, egiuw.top, ''
domain, eltade.cc, ''
domain, entelclws.top, ''
domain, epgovc.top, ''
domain, estafetau.shop, ''
domain, evriuk.top, ''
domain, ewdfb.top, ''
domain, fexpres.lol, ''
domain, fwedsfg.top, ''
domain, geopostl.cfd, ''
domain, globeefd.top, ''
domain, hanypost.top, ''
domain, hketoll-etc-hk.top, ''
domain, indiapost.top, ''
domain, info-trackingcoi.cc, ''
domain, inposttrack.click, ''
domain, isr-aelpost.sbs, ''
domain, libyapost.ly, ''
domain, lietuvospost.help, ''
domain, m360.com.ph, ''
domain, mapxis.ink, ''
domain, mondialrellay.live, ''
domain, mxups.me, ''
domain, myhermes-at.bond, ''
domain, mys-jtexpres.cyou, ''
domain, nzposst-co.top, ''
domain, phlppovd.top, ''
domain, post-isl.sbs, ''
domain, post-track.help, ''
domain, post-word.top, ''
domain, posta-romanam.cc, ''
domain, postah.cc, ''
domain, posteit.cfd, ''
domain, posten.top, ''
domain, posti-fifi.top, ''
domain, psocygb.xin, ''
domain, serviciopostalgobec.pics, ''
domain, shant.fun, ''
domain, singpposts.top, ''
domain, slpostgovls.xyz, ''
domain, smbc-card.shop, ''
domain, smseexpress.cfd, ''
domain, spl-express.help, ''
domain, telefonica.com.mx, ''
domain, telkomssel.ink, ''
domain, tepco-co-jp.online, ''
domain, thetollroads-errp.top, ''
domain, thetollroadsll.lol, ''
domain, thposto.vip, ''
domain, tigo-gtmc.top, ''
domain, trackwpwy.top, ''
domain, ttspost.sbs, ''
domain, tuyrepost.cc, ''
domain, ukrspack.click, ''
domain, unogmu.icu, ''
domain, usps-packages-dc.com, ''
domain, uspssud.info, ''
domain, uypos.xyz, ''
domain, wbduvn.com, ''
domain, whetf.xin, ''
domain, www-claro.top, ''
domain, yhvxm.icu, ''
domain, yurticikargoy.cyou, ''
domain, za-post-word.top, ''
hostname, ceshi.appexpress.top, ''
hostname, mndot.us-etce.cc, ''
hostname, pagos.correos.go.cr, ''

Full IOCs available in Rectifyq’s MISP

Rectifyq

Explorer

2025-04-10 Smishing Triad Chinese eCrime Group Targets 121+ Countries, Introduces New Banking Phishing Kit

Indicator of Compromise (IoCs)

🔴 Latest Relevant 🇲🇾 Threat Articles

2026-04-30 Inside Shadow-Earth-053 A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

2026-04-29 Phoenix Rising Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns

2026-04-21 GhostCargo, a 5-years campaign

Graph View