Smishing Triad expanding SMS phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The Smishing Triad is expanding a SMS phishing and fraud campaign that uses impersonation domains to steal data from individuals and organizations. The operation now mimics Fawry, Egypt Post, Careem, UnionPay and TikTok, broadening its lure set across consumer, payment and service brands. It also relies on Telegram promotion and customizable smishing kits that can be deployed quickly to virtual servers, increasing scale and speed.
Related Happenings
AI-assisted Truman Show investment fraud campaign
Campaign
First: 09.01.2026 13:00
Last: 09.01.2026 13:00
Sources 1
About this happening:
The **Truman Show** operation is an **AI-assisted investment fraud campaign** that uses **fake personas** and **attacker-controlled infrastructure** to lure victims into crypto sc...
AI-assisted Truman Show investment fraud campaign
CampaignAbout this happening: The **Truman Show** operation is an **AI-assisted investment fraud campaign** that uses **fake personas** and **attacker-controlled infrastructure** to lure victims into crypto sc...
TrickyWonders Wonderland distribution campaign targeting Uzbekistan users
Campaign
First: 22.12.2025 08:11
Last: 22.12.2025 08:11
Sources 1
About this happening:
The **TrickyWonders** campaign is distributing **Wonderland** through fake **Google Play** pages, **Facebook** ads, dating-app lures, and **Telegram**, expanding risk to **users i...
TrickyWonders Wonderland distribution campaign targeting Uzbekistan users
CampaignAbout this happening: The **TrickyWonders** campaign is distributing **Wonderland** through fake **Google Play** pages, **Facebook** ads, dating-app lures, and **Telegram**, expanding risk to **users i...
DoT active-SIM mandate for messaging apps
Public Sector Action
First: 02.12.2025 19:46
Last: 02.12.2025 19:46
Sources 1
About this happening:
**India's Department of Telecommunications (DoT)** ordered **app-based communication services** to keep users tied to an **active SIM card**, a move meant to reduce **phishing, sc...
DoT active-SIM mandate for messaging apps
Public Sector ActionAbout this happening: **India's Department of Telecommunications (DoT)** ordered **app-based communication services** to keep users tied to an **active SIM card**, a move meant to reduce **phishing, sc...
Darcula 3.0 phishing-as-a-service ecosystem adds AI automation and anti-detection at scale
Threat Actor Meta
First: 25.11.2025 18:00
Last: 25.11.2025 18:00
Sources 1
How related:
Netcraft reports that an upgraded version, Darcula 3.0, introduced anti-detection features, an enhanced admin panel, a card-cloning tool and AI-driven automation that allows operators to build phishing pages with a single click.
About this happening:
**Darcula 3.0** has added **anti-detection features**, an enhanced admin panel, a card-cloning tool, and **AI-driven automation**, making phishing-page creation faster and easier...
Darcula 3.0 phishing-as-a-service ecosystem adds AI automation and anti-detection at scale
Threat Actor MetaHow related: Netcraft reports that an upgraded version, Darcula 3.0, introduced anti-detection features, an enhanced admin panel, a card-cloning tool and AI-driven automation that allows operators to build phishing pages with a single click.
About this happening: **Darcula 3.0** has added **anti-detection features**, an enhanced admin panel, a card-cloning tool, and **AI-driven automation**, making phishing-page creation faster and easier...
Russia-aligned Signal linked-devices account hijacking campaign
Campaign
First: 25.11.2025 08:42
Last: 25.11.2025 08:42
Sources 1
About this happening:
**Multiple Russia-aligned threat actors** are running an active **Signal account hijacking** campaign that abuses the app's **linked devices** feature. The operation has been visi...
Russia-aligned Signal linked-devices account hijacking campaign
CampaignAbout this happening: **Multiple Russia-aligned threat actors** are running an active **Signal account hijacking** campaign that abuses the app's **linked devices** feature. The operation has been visi...
Timeline
-
25.11.2025 18:00 2 articles · 6mo ago
Smishing Triad expands fraudulent domains and Telegram smishing kits
Initial DisclosureDark Atlas identified a growing cluster of fraudulent domains impersonating Fawry, Egypt Post and Careem, and linked the broader Smishing Triad operation to additional pages spoofing UnionPay, TikTok and other services on shared hosting in AS132203 associated with Tencent’s facilities. The campaign relies on Telegram promotion and customizable phishing-as-a-service kits that can be rapidly deployed to virtual servers and automatically unpacked with templates for DHL, Evri, UPS, AT&T, Movistar, Vodafone, USPS, GOV.UK and Egypt Post. The same advisory also associates Darcula and Darcula 3.0 with large-scale spoofed domains, anti-detection features, a card-cloning tool and AI-driven automation.
Show sources
- Smishing Triad Impersonation Campaigns Expand Globally — www.infosecurity-magazine.com — 25.11.2025 18:00
- Smishing Triad Impersonation Campaigns Expand Globally — www.infosecurity-magazine.com — 25.11.2025 18:00