New Panda Shop smishing kit linked to Smishing Triad

New Panda Shop smishing kit linked to Smishing Triad

Cybersecurity firm Resecurity has discovered a new phishing kit that appears to be the offshoot of the infamous Chinese cybercriminal group known as the Smishing Triad.

The operation first came to light in August 2023, and since its initial exposure, the Smishing Triad has become stealthier, upgrading its tools, tactics, and procedures. The group operates under a “Crime-as-a-Service” model, offering its smishing kits to other threat actors. This has allowed a vast network of associates to scale operations across international borders, often targeting unsuspecting victims through SMS, Apple iMessage, and Google RCS.

The group is capable of sending up to 2 million smishing messages per day equating to 60 million potential victims per month or 720 million annually.

Panda Shop uses similar techniques to the Smishing Triad but comes with enhanced features. The kit supports phishing templates for a wide range of brands including AT&T, UPS, USPS, DHL, Movistar, Vodafone, and even government portals such as the UK’s parking fine payment site. It also supports international services such as UAE-based telecom provider Du.

Panda Shop operates using Telegram bots and channels to automate service delivery, bypassing more heavily monitored Chinese platforms like QQ and WeChat. Researchers believe Panda Shop may be operated by former Smishing Triad members, seeking to rebrand after being exposed. The kit is capable of harvesting sensitive information, including credit card data and PII, and is now being used for fraud involving Google Wallet, Apple Pay, and NFC tools like Z-NFC and UFO NFC.


Back to the list

Latest Posts

Cyber Security Week in Review: May 16, 2025

Cyber Security Week in Review: May 16, 2025

In brief: Microsoft, Fortinet, Ivanti, and Google patch zero-days, crypto exchange Coinbase reveals a data breach, and more.
16 May 2025
Russia-linked espionage operation targeting webmail servers via XSS flaws

Russia-linked espionage operation targeting webmail servers via XSS flaws

The campaign exploits XSS vulnerabilities in widely used webmail servers to steal sensitive data from high-value targets.
15 May 2025
Kosovo man extradited to US for running BlackDB.cc criminal marketplace

Kosovo man extradited to US for running BlackDB.cc criminal marketplace

If convicted on all counts, Masurica faces up to 55 years in federal prison.
14 May 2025