A large-scale, ongoing smishing campaign has been attributed to a threat group known as the Smishing Triad. According to new research from Palo Alto Networks Unit 42, the group has utilized more than 194,000 malicious domains since January 1, 2024. This global operation targets a wide variety of services, aiming to deceive users and harvest sensitive information.

The findings, published on October 24, 2025, detail a sophisticated infrastructure designed to support this massive cybercrime effort. The campaign has proven to be highly profitable for the perpetrators, demonstrating the significant financial motivation behind modern smishing attacks.

Attack Infrastructure and Attribution

The activity is linked to a China-based group, the Smishing Triad. Security researchers Reethika Ramesh, Zhanhao Chen, Daiping Liu, Chi-Wei Liu, Shehroze Farooqi, and Moe Ghasemisharif provided details on the operation’s technical backbone. “Although these domains are registered through a Hong Kong-based registrar and use Chinese nameservers, the attack infrastructure is primarily hosted on popular U.S. cloud services,” the researchers stated. This hybrid infrastructure allows the actors to maintain a global reach while managing their domain registrations through specific regional entities.

Tactics and Financial Impact

The Smishing Triad’s primary tactic involves flooding mobile devices with fraudulent text messages. These messages commonly use lures such as fake toll violation warnings and package misdelivery notices. The goal is to create a sense of urgency, tricking recipients into clicking malicious links and providing personal and financial data. These campaigns have been remarkably lucrative for the threat actors. The report indicates that these smishing activities have allowed the group to make more than $1 billion over the last three years, highlighting the severe financial threat these operations pose to the public.

Source: https://thehackernews.com/2025/10/smishing-triad-linked-to-194000.html