Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Smishing Triad evolves into a multi-role phishing-as-a-service ecosystem

Threat Actor Meta
First reported
Last updated
Happening score
H score 41
2 unique sources, 2 articles

Summary

Hide ▲

Smishing Triad has evolved from a phishing-kit purveyor into a multi-role phishing-as-a-service (PhaaS) ecosystem, making its smishing operation more scalable and harder to disrupt. The shift matters because the group now brings together developers, brokers, domain sellers, hosting providers, spammers, and scanners, spreading operational risk across a broader criminal supply chain. That ecosystemization helps sustain rapid domain churn, high-volume messaging, and wide-reaching impersonation campaigns.

Related Happenings

Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign

Campaign
First: 26.05.2026 10:13 Last: 26.05.2026 10:13 Sources 1

About this happening: Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...

Open Happening

TeamPCP supply-chain ecosystem shift and extortion partnerships

Threat Actor Meta
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...

Open Happening

Lucifer DaaS’s evolution into a commission-based drainer service platform

Threat Actor Meta
First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: **Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...

Open Happening

CL-CRI-1116 / BlackFile overlap with The Com

Threat Actor Meta
First: 27.04.2026 11:15 Last: 27.04.2026 11:15 Sources 1

About this happening: Researchers linked **CL-CRI-1116** to overlapping labels including **BlackFile**, **UNC6671**, and **Cordial Spider**, suggesting the extortion cluster sits inside a broader **The...

Open Happening

Triad Nexus investment scam and brand impersonation campaign targeting emerging markets

Campaign
First: 14.04.2026 15:00 Last: 14.04.2026 15:00 Sources 1

About this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...

Open Happening

Timeline

  1. 24.10.2025 21:35 3 articles · 7mo ago

    Smishing Triad evolves into a multi-role PhaaS ecosystem

    Technical Analysis Update

    Smishing Triad is described as evolving from a dedicated phishing kit purveyor into a highly active community that coordinates phishing-as-a-service operations through specialized roles including kit developers, data brokers, domain sellers, hosting providers, spammers, liveness scanners, and blocklist scanners. The campaign infrastructure is tied to more than 194,000 malicious domains since January 1, 2024, with 194,345 FQDNs resolving to as many as 43,494 unique IP addresses, many hosted on U.S. cloud services despite Hong Kong-based registration signals.

    Show sources
    Open in new tab