The China-linked threat collective known as Smishing Triad has been tied to more than 194 000 malicious domains used in a global mobile-phishing operation, according to new research by Palo Alto Networks Unit 42.
Researchers Reethika Ramesh, Zhanhao Chen, Daiping Liu, Chi-Wei Liu, Shehroze Farooqi and Moe Ghasemisharif report that the campaign’s infrastructure, active since January 2024, relies on Hong Kong-based registrar Dominet (HK) Limited for about 68 percent of registrations while hosting largely on U.S. cloud providers such as Cloudflare. Analysis of Unit 42’s dataset revealed 194 345 fully-qualified domain names resolving to 43 494 unique IP addresses.
The group’s phishing templates impersonate delivery services, banks, and government toll systems. The most abused brand was the U.S. Postal Service (USPS) with 28 045 domains. Nearly 90 000 domains used toll-payment lures, and more than 70 percent remained active for less than a week before rotation to new addresses. Unit 42 characterized this rapid domain churn as a deliberate tactic to evade blacklists and network filters.
The report adds that Smishing Triad has expanded beyond phishing kit distribution into a broader phishing-as-a-service (PhaaS) model. Its ecosystem now involves kit developers, data brokers, hosting providers, bulk spammers, and “liveness scanners” that validate active phone numbers before sending text messages at scale. Domains often impersonate financial and public sector services in Russia, Poland and Lithuania to harvest credentials and two-factor codes.
Complementary findings from Fortra suggest that Smishing Triad’s tool kits are increasingly used against brokerage accounts, producing a five-fold rise in attempted credential theft between Q2 2024 and Q2 2025. Analyst Alexis Ober noted that attackers use the stolen accounts to manipulate stock prices through so-called “ramp and dump” schemes that leave little forensic evidence.
Unit 42 concludes that the operation represents a “highly decentralized global campaign” with daily domain registrations and constant infrastructure turnover, demonstrating how phishing services continue to industrialize through automation and cross-border collaboration.