Researchers track surge in high-level Smishing Triad activity | CyberScoop<\/title> <meta name=\"description\" content=\"The China-linked operation has grown from a phishing kit marketplace into an active and growing community supporting a decentralized large-scale phishing ecosystem.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/unit-42-chinese-language-phishing-operation-smishing-triad\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Researchers track surge in high-level Smishing Triad activity\"> <meta property=\"og:description\" content=\"The China-linked operation has grown from a phishing kit marketplace into an active and growing community supporting a decentralized large-scale phishing ecosystem.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/unit-42-chinese-language-phishing-operation-smishing-triad\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-10-23T10:00:00+00:00\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-track-surge-in-high-level-smishing-triad-activity-2.jpg\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1759256725g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1761070183g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86461\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86461\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Funit-42-chinese-language-phishing-operation-smishing-triad%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Funit-42-chinese-language-phishing-operation-smishing-triad%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86461 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/unit-42-chinese-language-phishing-operation-smishing-triad\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.368539325843\">\n<div class=\"single-article__header-content\" readability=\"34.375296912114\">\n<p> The China-linked operation has grown from a phishing kit marketplace into an active and growing community supporting a decentralized large-scale phishing ecosystem. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86461\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-track-surge-in-high-level-smishing-triad-activity.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Phishing (Getty Images)\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-track-surge-in-high-level-smishing-triad-activity-2.jpg 3840w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-track-surge-in-high-level-smishing-triad-activity-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-track-surge-in-high-level-smishing-triad-activity-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-track-surge-in-high-level-smishing-triad-activity-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-track-surge-in-high-level-smishing-triad-activity-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-track-surge-in-high-level-smishing-triad-activity-2.jpg?resize=2048,1152 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-track-surge-in-high-level-smishing-triad-activity-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-track-surge-in-high-level-smishing-triad-activity-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-track-surge-in-high-level-smishing-triad-activity-2.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> Phishing (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"53.586821384169\"><body readability=\"108.91164289001\"><\/p>\n<p>Researchers have uncovered a long-running phishing campaign that uses text messages to trick victims, and it\u2019s both bigger and more complex than previously thought. The operation, dubbed Smishing Triad, is managed in Chinese and involves thousands of malicious actors, including dozens of active, high-level participants, Palo Alto Networks\u2019 research unit told CyberScoop.<\/p>\n<p>Unit 42 has traced about 195,000 domains to the highly decentralized phishing operation since January 2024. Researchers say more than two-thirds of the malicious domains are registered through Hong Kong-based registrar Dominet (HK) Limited using China-based domain name system infrastructure.<\/p>\n<p>Most of the attack domains (58%) are hosted on U.S.-based IP addresses, while 21% are hosted in China and 19% reside in Singapore. The <a href=\"https:\/\/unit42.paloaltonetworks.com\/global-smishing-campaign\">global phishing operation<\/a> is designed to collect sensitive information, including national identification numbers, home addresses, financial details and credentials, according to Unit 42.<\/p>\n<p>The malicious domains, which include hyphenated strings followed by a top-level domain, trick victims into thinking they are visiting a legitimate site. These domains impersonate services across many critical sectors including <a href=\"https:\/\/cyberscoop.com\/toll-road-text-message-scam-swells-nationwide-how-to-stop\/\">toll road services<\/a>, multinational financial service and investment firms, e-commerce markets and cryptocurrency exchanges, health care organizations, law enforcement agencies and social media platforms.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Smishing Triad has changed its tactics over time and brought in a range of specialists to support its operations. These include data brokers, domain sellers, hosting providers, phishing kit developers, platform providers, spammers who deliver the phishing lures via mobile messaging apps, and support staff who verify which phone numbers are active and can be targeted.<\/p>\n<p>The group\u2019s Chinese language Telegram channel has attracted many associates because the underlying infrastructure is effective, and other threat groups rely on the phishing kits sold for widespread use as well, said Zhanhao Chen, principal researcher at Palo Alto Networks.<\/p>\n<p>The operation began as a dedicated phishing kit marketplace and has grown into an active community supporting a large-scale phishing ecosystem.<\/p>\n<p>Smishing Triad\u2019s Telegram channel has evolved from a dedicated phishing kit marketplace to an active community over the past six months, attracting threat actors across the phishing ecosystem.<\/p>\n<p>Unit 42 doesn\u2019t know how many people have received phishing messages from this operation. Yet, researchers have traced part of the group\u2019s infrastructure and domains, which phishing kits are being used, how much traffic they get, and which targets are being focused on by tracking changes in domain-naming conventions. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWe don\u2019t necessarily know how many victims we can attribute to this technology or this group,\u201d said Reethika Ramesh, senior staff researcher at Palo Alto Networks. \u201cBut we know that the number of domains is growing on a daily basis and they\u2019re churning through different infrastructure, and that most of the query volume for the domains were towards domains hosted on U.S. IP addresses.\u201d<\/p>\n<p>The U.S. Postal Service is the most impersonated service, spanning more than 28,000 domains, according to researchers. Toll road agencies account for the most impersonated category, with these services traced to nearly 90,000 domains.<\/p>\n<p>Unit 42 said the operation is active and evolving, as researchers have observed a significant jump in the registration of domain prefixes containing gov, as evidenced by a shift toward impersonating the Internal Revenue Services and U.S. state tax agencies during the past couple months. Researchers have traced more than 37,000 new domains to the campaign since June. <\/p>\n<p>The lifespan of the domains traced to Smishing Triad is short \u2014 29% were active for less than two days, 71% were in use for less than a week and 83% were disposed within two weeks, according to Unit 42.<\/p>\n<p>The real-world consequences of the operation are difficult to track and likely delayed, as the phishing sites are largely designed to steal data for potential follow-on attacks. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWe don\u2019t know how many messages they\u2019re sending out or how many people are receiving them,\u201d Ramesh said. \u201cThey\u2019re definitely harvesting the data for later use.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.7390396659708\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-track-surge-in-high-level-smishing-triad-activity-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/unit-42-chinese-language-phishing-operation-smishing-triad\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers track surge in high-level Smishing Triad activity | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,5279,1807,715,60,3627,256,5280,3795,5281,288,183],"tags":[86,5282,1810,720,67,3630,262,5283,3796,5284,294,207],"class_list":["post-8103","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-domains","category-exclusive","category-palo-alto-networks","category-phishing","category-phishing-kit","category-research","category-smishing-triad","category-sms","category-text-message","category-threats","category-unit-42","tag-cybersecurity","tag-domains","tag-exclusive","tag-palo-alto-networks","tag-phishing","tag-phishing-kit","tag-research","tag-smishing-triad","tag-sms","tag-text-message","tag-threats","tag-unit-42"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/domains\/\" rel=\"category tag\">domains<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/exclusive\/\" rel=\"category tag\">Exclusive<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/palo-alto-networks\/\" rel=\"category tag\">Palo Alto Networks<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phishing\/\" rel=\"category tag\">phishing<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phishing-kit\/\" rel=\"category tag\">phishing kit<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/smishing-triad\/\" rel=\"category tag\">Smishing Triad<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sms\/\" rel=\"category tag\">SMS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/text-message\/\" rel=\"category tag\">text message<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unit-42\/\" rel=\"category tag\">Unit 42<\/a>","tag_info":"Unit 42","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8103"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8103\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8103,"date":"2025-10-23T05:00:00","date_gmt":"2025-10-23T10:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86461"},"modified":"2025-10-23T05:00:00","modified_gmt":"2025-10-23T10:00:00","slug":"researchers-track-surge-in-high-level-smishing-triad-activity","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/10\/23\/researchers-track-surge-in-high-level-smishing-triad-activity\/","title":{"rendered":"Researchers track surge in high-level Smishing Triad activity"},"content":{"rendered":"