Analysis Summary

A Chinese cybercrime group known as the Smishing Triad has launched a massive global cyberattack, targeting users in over 120 countries through sophisticated SMS phishing (smishing) campaigns. Security researchers uncovered that the group’s operations span industries such as banking, logistics, telecommunications, and government sectors, aiming to steal sensitive banking credentials by luring victims to fraudulent websites.

The Smishing Triad operates a constantly rotating infrastructure of around 25,000 phishing domains, typically active for eight-day periods, with over a million page visits recorded in less than three weeks. Their latest tool, the Lighthouse phishing kit, was introduced in March 2025 via a Telegram channel by a developer named Wang Duo Yu. Lighthouse offers features like one-click setup, real-time synchronization between front-end and back-end systems, and sophisticated mechanisms to bypass security measures including OTP, PIN, and 3DS verifications. Sold to other malicious actors through Telegram, the toolkit broadens the campaign’s reach.

Over 50% of the phishing domains are hosted by Chinese providers Tencent and Alibaba. Domains are frequently rotated to evade detection, demonstrating the group’s adaptability. Victims are typically lured via SMS messages impersonating legitimate services like postal agencies, banks, and toll systems. Major brands targeted include USPS, HSBC, PayPal, Mastercard, ANZ, Commonwealth Bank, and Westpac.

Researchers traced the Lighthouse kit and earlier phishing tools back to Wang Duo Yu, noting the use of Mandarin and Chinese text in the development. The campaigns are supported by a reported workforce of over 300 individuals. Initially focused on Australia, the attacks have rapidly expanded across North and South America, Europe, Asia-Pacific, and the Middle East.

Experts emphasize the need for heightened vigilance against phishing attempts and call for international cooperation to combat increasingly sophisticated global cybercrime threats.

Impact

• Financial Loss
• Credential Theft
• Sensitive Data Theft

Indicators of Compromise

Remediation

• Download apps exclusively from trusted sources like the official Google Play Store; avoid third-party app stores and unknown websites.
• Disable the "Unknown Sources" option in your device settings to prevent unauthorized app installations.
• Regularly update your Android system and applications to ensure the latest security patches are applied.
• Enable "Google Play Protect" to scan and remove potentially harmful apps from your device.?
• Be cautious with unsolicited messages or emails, especially those containing links or requesting personal information.
• Avoid clicking on suspicious links or downloading files from unknown sources.
• Use strong, unique passwords for your device and accounts; avoid easily guessable information.
• Regularly back up your device data to secure locations to prevent data loss in case of infection.
• If you suspect your device is infected with malware like SpyNote, perform a factory reset to remove the threat.
• Implement robust endpoint security solutions for real-time monitoring and threat detection.
• Configure firewalls to block outbound communication to known malicious IP addresses and domains.
• Conduct regular vulnerability assessments and penetration testing to identify and remediate security weaknesses.
• Develop a comprehensive incident response plan outlining steps to take in case of a malware infection.
• Provide security awareness and training programs to educate users about phishing and social engineering attacks.
• Employ application whitelisting to allow only approved applications to run on endpoints.