A sophisticated Chinese eCrime group known as “Smishing Triad” has expanded its operations to target organizations and individuals across at least 121 countries worldwide.
The group, active since 2023, has systematically targeted multiple industries including postal services, logistics, telecommunications, transportation, retail, and public sectors through SMS phishing (“smishing”) campaigns.
These attacks have reached unprecedented scale with researchers estimating tens of thousands of malicious websites active on any given day.
.png
)
Initially focusing on package delivery and government service lures, Smishing Triad has recently pivoted to banking credentials theft.
The group sends fraudulent SMS messages containing phishing links that redirect victims to convincing replicas of legitimate websites.
These messages often create urgency by claiming issues with package deliveries or pending toll payments, prompting users to click malicious links.
The group rotates domains frequently, with approximately 25,000 domains online during any 8-day period to evade detection and blocking.
In a concerning development, Silent Push analysts identified in March 2025 that Smishing Triad is now targeting major financial institutions with a new phishing kit dubbed “Lighthouse.”
This sophisticated tool focuses primarily on Australian financial institutions and major Western banks.
The group boasts “300+ front desk staff worldwide” supporting their fraud operations, suggesting a highly organized criminal enterprise with significant resources.
More than half of their phishing infrastructure is hosted by Chinese companies Tencent and Alibaba.
The Lighthouse Banking Phishing Kit
The Lighthouse phishing kit represents a significant evolution in Smishing Triad’s capabilities.
According to leaked Telegram communications from the developer “Wang Duo Yu,” the kit provides “real-time synchronization, one-click setup, one-click update, automatic diversion,” and multiple verification methods including OTP verification, app verification, PIN verification, and 3DS verification.
Technical analysis of the JavaScript file (index-D76-mPwS.js) associated with Lighthouse reveals targeting parameters for numerous financial institutions including PayPal, Mastercard, Visa, HSBC, and several Australian banks.
The kit creates convincing replicas of banking interfaces, complete with sophisticated multi-stage verification processes.
.webp)
The phishing administration panel allows attackers to customize directory structures, implement country-based IP filtering, and adjust payment amounts demanded from victims.
The interface includes options for mobile-only rendering, reflecting the campaign’s focus on smartphones.
The kit’s session management capabilities track victim progress through the phishing flow, with Chinese-language status messages in the JavaScript indicating: “当前正在首页” (Currently on the home page), “当前已填写完成” (Currently completed filling out), and “当前正在填卡页面” (Currently on the card filling page).
Organizations are advised to implement multi-factor authentication and educate users about smishing threats to mitigate these increasingly sophisticated attacks targeting financial credentials.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
