Smishing Triad evolves into a multi-role phishing-as-a-service ecosystem
Threat Actor Meta
Summary
Hide ▲
Show ▼
Smishing Triad has evolved from a phishing-kit purveyor into a multi-role phishing-as-a-service (PhaaS) ecosystem, making its smishing operation more scalable and harder to disrupt. The shift matters because the group now brings together developers, brokers, domain sellers, hosting providers, spammers, and scanners, spreading operational risk across a broader criminal supply chain. That ecosystemization helps sustain rapid domain churn, high-volume messaging, and wide-reaching impersonation campaigns.
Related Happenings
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score69
First: 12.06.2026 21:59
Last: 12.06.2026 21:59
Sources 1
About this happening:
The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor Meta
H score43
First: 12.06.2026 11:52
Last: 12.06.2026 11:52
Sources 1
About this happening:
A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor MetaAbout this happening: A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Latest development: 15.06.2026 09:30
Fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations targeted users across the Middle East and North Africa with fake offers for free mobile internet packages, financial compensation, and government subsidy programs, then routed victims through Linkbio and Linktree decoy pages into Sniper Dz phishing and traffic monetization infrastructure that abuses browser notification permissions, back-button hijacking, tab-under redirections, premium SMS subscriptions, premium-rate calls, and investment scams.
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor Meta
H score24
First: 11.06.2026 19:50
Last: 11.06.2026 19:50
Sources 1
About this happening:
**Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor MetaAbout this happening: **Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
FIFA-themed phishing-as-a-service market selling scam kits and ticket-buying bots
Threat Actor Meta
H score42
First: 05.06.2026 10:01
Last: 05.06.2026 10:01
Sources 1
About this happening:
A **FIFA-themed phishing-as-a-service market** is selling **ready-made scam kits** and **ticket-buying bots**, lowering the barrier for fraud operators and making takedowns less e...
FIFA-themed phishing-as-a-service market selling scam kits and ticket-buying bots
Threat Actor MetaAbout this happening: A **FIFA-themed phishing-as-a-service market** is selling **ready-made scam kits** and **ticket-buying bots**, lowering the barrier for fraud operators and making takedowns less e...
Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
Campaign
H score36
First: 26.05.2026 10:13
Last: 26.05.2026 10:13
Sources 1
About this happening:
Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...
Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
CampaignAbout this happening: Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...
Timeline
-
24.10.2025 21:35 3 articles · 8mo ago
Smishing Triad evolves into a multi-role PhaaS ecosystem
Technical Analysis UpdateSmishing Triad is described as evolving from a dedicated phishing kit purveyor into a highly active community that coordinates phishing-as-a-service operations through specialized roles including kit developers, data brokers, domain sellers, hosting providers, spammers, liveness scanners, and blocklist scanners. The campaign infrastructure is tied to more than 194,000 malicious domains since January 1, 2024, with 194,345 FQDNs resolving to as many as 43,494 unique IP addresses, many hosted on U.S. cloud services despite Hong Kong-based registration signals.
Show sources
- Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation — thehackernews.com — 24.10.2025 21:35
- Google Sues to Disrupt Chinese SMS Phishing Triad — krebsonsecurity.com — 13.11.2025 16:47
- Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation — thehackernews.com — 24.10.2025 21:35