Cybersecurity firm Resecurity has discovered a new phishing kit that appears to be the offshoot of the infamous Chinese cybercriminal group known as the Smishing Triad.
The operation first came to light in August 2023, and since its initial exposure, the Smishing Triad has become stealthier, upgrading its tools, tactics, and procedures. The group operates under a “Crime-as-a-Service” model, offering its smishing kits to other threat actors. This has allowed a vast network of associates to scale operations across international borders, often targeting unsuspecting victims through SMS, Apple iMessage, and Google RCS.
The group is capable of sending up to 2 million smishing messages per day equating to 60 million potential victims per month or 720 million annually.
Panda Shop uses similar techniques to the Smishing Triad but comes with enhanced features. The kit supports phishing templates for a wide range of brands including AT&T, UPS, USPS, DHL, Movistar, Vodafone, and even government portals such as the UK’s parking fine payment site. It also supports international services such as UAE-based telecom provider Du.
Panda Shop operates using Telegram bots and channels to automate service delivery, bypassing more heavily monitored Chinese platforms like QQ and WeChat. Researchers believe Panda Shop may be operated by former Smishing Triad members, seeking to rebrand after being exposed. The kit is capable of harvesting sensitive information, including credit card data and PII, and is now being used for fraud involving Google Wallet, Apple Pay, and NFC tools like Z-NFC and UFO NFC.