Full Report
Global smishing campaigns linked to Chinese cybercriminals escalate with Smishing Triad’s new tools and techniques
Analysis Summary
# Threat Actor: Smishing Triad / Panda Shop
## Attribution & Identity
* **Identification:** A cybercriminal network first identified in 2023, described as Chinese cybercriminals operating a sophisticated "Crime-as-a-Service" ecosystem.
* **Known Aliases and Associated Groups:** The operation has rebranded or spawned a new iteration known as **"Panda Shop,"** which is a rebranded smishing kit bearing the hallmarks of the original Smishing Triad.
## Activity Summary
The Smishing Triad is escalating global attacks through new tools and upgraded infrastructure. The group and its affiliates are running extensive smishing campaigns using the new "Panda Shop" kit. The volume of activity is substantial, with one actor reportedly sending **2 million smishing messages daily**, estimating a reach of **60 million victims per month**.
## Tactics, Techniques & Procedures
* **Smishing/Phishing:** Primary technique used to distribute deceptive messages.
* **Brand Impersonation:** Utilizing templates to mimic global brands like AT&T, DHL, and Vodafone.
* **Multi-Channel Messaging:** Sending messages via Apple iMessage, Android RCS, and standard SMS gateways.
* **Automation:** Use of interactive Telegram bots for smishing automation.
* **Data Harvesting:** Campaigns are specifically aimed at harvesting personal and financial data.
* **Comprise Account Usage:** Using compromised Apple and Gmail accounts to distribute malicious content at scale.
## Targeting
* **Sectors:** Consumers based on the use of global brand impersonations (e.g., telecom, shipping/logistics).
* **Geography:** Global attacks (implied by the targeting of international brands like AT&T, DHL, Vodafone).
* **Victims:** Unsuspecting consumers targeted for personal and financial data theft.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly named, but the toolset is described as the **"Panda Shop" smishing kit**.
* **Infrastructure (C2, domains, IPs):**
* Interactive **Telegram bots** for automation management.
* Web-based **dashboards** for managing stolen data collection.
* Templates tailored to international brands.
## Implications
The upgrades to the Smishing Triad into the "Panda Shop" ecosystem indicate a mature and professionalized criminal enterprise (Crime-as-a-Service). The automation (Telegram bots) and ease of use suggest a highly scalable operation capable of reaching tens of millions of potential victims monthly, increasing the risk surface for global consumer fraud and data theft.
## Mitigations
* **User Education:** Increased user awareness regarding suspicious messages, especially those demanding personal or financial data, even if they appear to come from trusted brands.
* **Security Monitoring:** Monitoring for high-volume smishing traffic across official SMS/RCS channels.
* **Account Security:** Strong authentication protocols on email and messaging accounts (Gmail, Apple) to prevent their compromise and subsequent use for C2 or content distribution.