Lighthouse Phishing Kit: The New Weapon in Smishing Triad’s Bank Targeting Operations

The Smishing Triad is a highly sophisticated Chinese eCrime group that has been engaging in SMS phishing (smishing) campaigns targeting a wide array of industries worldwide since at least 2023.

However, their operations have escalated, and in 2025, the group introduced a new banking-focused phishing kit called “Lighthouse”, which specifically targets major financial institutions across the Asia-Pacific (APAC) region, particularly Australia, alongside global financial brands.

Severity Level: High

THREAT OVERVIEW:

1. Initial Phishing Message Delivery
   o The attack begins with the group sending SMS phishing (smishing) messages to potential victims. These messages often impersonate well-known entities like postal services, telecommunications providers, or banks.
   o Lures: The SMS typically contains urgent, action-oriented messages, such as,
   “Your package is waiting for delivery. Click here to reschedule.”
   “Your account has been locked. Verify your identity to regain access.”
   “Payment confirmation needed. Click to validate your transaction.”
2. Victim Interaction with Phishing URL
   o Once the victim clicks on the link, they are redirected to a fraudulent website designed to mimic a legitimate service (e.g., USPS, PayPal, or a financial institution). These websites look nearly identical to the real ones, often using similar logos, domain names, and layout.
   o The fake site asks the victim to enter personal details, such as: Login credentials (username, password), Bank account details, Credit card information, including CVV and PIN, OTP or 2FA codes if attempting a financial transaction.
   o The fraudulent website is connected to the Lighthouse backend, which enables real-time synchronization between the phishing page and the attacker’s database.
3. Exploitation / Cash-Out
   o Credential Stuffing or Account Access: If banking credentials are stolen, attackers will attempt to log into the victim’s accounts, often testing them against multiple other services or banking apps (e.g., PayPal, Stripe, Visa, HSBC).
   o Fraudulent Transactions: For financial data, the Smishing Triad will initiate fraudulent transactions. This may include – Wire transfers, Purchases using stolen credit card information, Loading stolen credit card data into Apple/Google Wallet for future use.
   o Cash-Out Schemes: The group may leverage 300+ front desk staff to support these fraudulent transactions, making the process more efficient and scaling up their operations. This network also assists in laundering the stolen funds.
   o QR Codes: If the victim is stopped from completing a transaction, a QR code may be provided to complete the payment using a mobile app.
4. Phishing Kit Sales and Distribution
   o In addition to directly conducting attacks, Smishing Triad developer, Wang Duo Yu also sells the Lighthouse phishing kit to other threat actors Telegram Channel, making it easy for cybercriminals to replicate the attack.
5. Target Regions: Asia-Pacific, Africa, Middle East, Europe, South America, and North America.
6. Target Sectors: Postal, Logistics, Shipping, Telecommunications, Transport, Toll Systems, Finance, Banking, Retail, Government & Public Services.

Recommendations:

1. Regularly train employees and users on how to recognize phishing attempts, particularly SMS phishing (smishing). Ensure they understand the dangers of clicking on links from unknown sources, especially those impersonating postal services, banks, or telecommunications providers.
2. Enforce mandatory MFA for accessing banking systems, corporate email accounts, and any other critical services.
3. Given the nature of smishing attacks, ensure mobile device security is a priority.
4. Ensure that web servers hosting financial or sensitive data are configured securely, using the latest patches and encryption protocols.
5. Block the IOCs at their respective controls.
   https://www.virustotal.com/gui/collection/d1747f9028c2d890fe8f0b5685479d96aed5252f91df2375fcc310874190076e/iocs

Source:

• https://www.silentpush.com/blog/smishing-triad/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.