A growing cluster of fraudulent domains impersonating major Egyptian service providers, including Fawry, Egypt Post and Careem, has been identified during a recent threat-hunting operation.
The discovery by Dark Atlas points to an expanding campaign run by the Smishing Triad, a Chinese-speaking cybercrime group known for large-scale SMS phishing operations.
These domains appear designed to support fraud and data-harvesting schemes aimed at both individuals and organizations.
New Malicious Domains
New malicious domains were uncovered after analysts examined HTTP headers from the group’s infrastructure and used those indicators to run targeted searches on Shodan.
The process exposed additional domains mimicking global brands and financial platforms, particularly within AS132203, an infrastructure block linked to Tencent’s facilities.
Analysts found that the same network space is being used to host pages spoofing UnionPay, TikTok and other services, illustrating how broadly the Triad relies on shared hosting resources.
Read more on global smishing trends: Smishing Triad Upgrades Tools and Tactics for Global Attacks
The investigation also highlighted the group’s reliance on Telegram to promote and sell its phishing-as-a-service offerings.
Older Telegram channels led analysts to a video from a member identified as “wangduoyu8,” demonstrating the group’s customizable smishing kit. These kits can be rapidly deployed to virtual servers, automatically unpacking and configuring phishing templates that target victims across multiple regions.
The kits include international templates that mimic well-known brands. Examples identified in the investigation include:
-
Fake delivery notifications imitating DHL, Evri and UPS
-
Telecom billing alerts resembling AT&T, Movistar and Vodafone
-
Government and postal service messages linked to USPS, GOV.UK and Egypt Post
Rising Competition From Darcula
A separate but related development, detailed in the same Dark Atlas advisory, involves Darcula, a large-scale PhaaS platform operating more than 20,000 spoofed domains across 100 countries.
Netcraft reports that an upgraded version, Darcula 3.0, introduced anti-detection features, an enhanced admin panel, a card-cloning tool and AI-driven automation that allows operators to build phishing pages with a single click. Analysts warn that these upgrades will likely drive higher phishing volumes.
According to the research team, both the Smishing Triad and emerging PhaaS services like Darcula demonstrate the increasing sophistication of global phishing operations.
“Our investigation underscores the importance of proactive threat hunting, continuous monitoring of phishing infrastructure and user awareness to mitigate the risks posed by these campaigns,” Dark Atlas warned.
“As cyber-criminals continue to innovate, understanding their tactics, techniques and procedures is essential for building resilient defenses and protecting sensitive information worldwide.”
Image credit: Tamar A Soliman / Shutterstock.com