Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns

Introduction

According to the Group-IB High-Tech Crime Trends Report 2026, Financial Services, Logistics, and Telecommunications were identified as three of the top five industries most targeted by phishing in 2025. And SMS phishing (smishing) still remains one of the most effective and fastest-growing fraud vectors worldwide. This effectiveness has been further amplified by the rise of phishing-as-a-service (PhaaS) platforms, which provide affiliates with pre-built templates, traffic filtering mechanisms, and real-time victim management dashboards. By combining high-delivery SMS distribution methods with scalable, subscription-based phishing ecosystems, threat actors can rapidly deploy campaigns, replicate proven attack workflows, and expand operations across multiple regions with minimal technical overhead.

Since January 2025, Group-IB has identified a surge in two dominant smishing-driven phishing themes: Reward Points phishing, which impersonates banks and telecommunications providers and Failed Parcel Delivery phishing, which impersonates logistics and shipping companies. Despite differences in social engineering themes, both campaigns exhibit strong operational similarities. This research demonstrates that they are not independent activities, but are instead linked through shared infrastructure and a phishing kit ecosystem, identified as the Phoenix System.

In this blog, discover how threat actors create and distribute phishing campaigns targeting the financial, telecommunications, and logistics sectors globally, and identify the Telegram channels distributing these sophisticated phishing kits.

Key discoveries in the blog

• The campaigns are delivered via SMS, potentially leveraging fake Base Transceiver Stations (BTS) to bypass carrier-level filtering and allow threat actors to send messages that appear under the brand names of trusted organizations directly to victims.
• Since January 2025, Group-IB has identified over 2,500 phishing domains associated with these operations.
• The campaign has so far targeted more than 70 organizations across the financial services, telecommunications, and logistics sectors globally.
• The phishing sites implement IP-based filtering and geofencing to precisely target victims within specific countries.
• Investigation revealed a shared infrastructure between phishing campaigns themed on reward redemptions and failed parcel deliveries, despite differences in their attack context and target audiences.
• Both campaigns utilize the “Phoenix System” (不死鳥系統) administrative backend, which is the successor generation of the Mouse System (耗子系統).
• The phishing kits are distributed via a dedicated Telegram ecosystem

Who may find this blog interesting:

• Cybersecurity analysts and corporate security teams
• Threat intelligence specialists
• Cyber investigators
• Computer Emergency Response Teams (CERT)
• Law enforcement investigators
• Cyber police forces

Group-IB Threat Intelligence Portal

Group-IB customers can access our Threat Intelligence portal for more information about the threat actor designated as FH-SMS25 and phishing campaigns described in this blog.

Victimology: A tale of two seemingly disparate phishing campaigns

Figure 1. Victimology map for the Reward Points Phishing campaign.

Figure 2. Victimology map for the Failed Parcel Delivery Phishing campaign.

Unmasking a global smishing network

Mirror tactics: The smishing connection

When observed separately, both phishing campaigns above have completely different victimology mapping, targets and themes. However, during this investigation, the shared infrastructure between the Reward Points Phishing campaign and Failed Parcel Delivery Phishing operation was uncovered using Group-IB’s patented Graph technology.

Figure 3: Group-IB Graph used to map the malicious infrastructure behind two phishing campaigns reveals a common overlapping IP address.

Apart from sharing the same host IP, both campaigns utilize identical Tactics, Techniques, and Procedures (TTPs) to systematically compromise victims via mobile devices.

Evolution of delivery vectors: From standard SMS to BTS-based injection

To understand the full scale of these operations, let’s analyze the methods used by threat actors to deceive victims with examples from the Reward Points Phishing campaign.

In the first stage, the threat actor sends phishing messages directly to users using ordinary mobile phone numbers. These numbers are not spoofed or masked through advanced techniques; instead, they are typically prepaid or disposable numbers controlled by the attacker. However, this approach has limited effectiveness. Many users are cautious when receiving sensitive messages from unknown numbers and may question the legitimacy of the content. The lack of clear branding or an identifiable official sender makes it easier to recognize the message as a potential scam. As a result, click through rates using this technique tend to be lower, prompting the threat actor to later adopt more convincing delivery methods to improve success.

Figure 4. The campaign first utilized SMS text messages sent from a local number to impersonate a brand’s reward program.

As the campaign evolves, attackers are likely leveraging advanced SMS delivery techniques, including the potential use of BTS-based SMS injection. A Base Transceiver Station (BTS) normally enables mobile devices to connect to an operator’s network for calls, SMS, and data services. By deploying rogue BTS equipment that broadcasts stronger signals than legitimate towers, attackers can cause nearby devices to connect to their station instead, allowing SMS messages to be injected directly without passing through standard operator routing systems. This enables the bypass of sender authentication and spam filtering. A similar delivery outcome may also be achieved through the use of commercial bulk SMS services or messaging gateways.

Figure 5. How the Base Transceiver Station (BTS) works.

The injected messages appear as legitimate SMS notifications, often impersonating trusted organizations using branded sender names or short codes. These messages contain links to phishing pages designed to mimic official websites. Because the messages appear as normal SMS, detection is difficult for both users and telecom operators.

Victim flow: Rewards Points Phishing campaign

In this Reward Points Phishing campaign, attackers specifically target users of banks and mobile service providers, sending messages claiming that recipients have accumulated reward points or are eligible for special promotions. The notifications are crafted to appear legitimate, often mimicking the style and wording of official communications to create a sense of urgency and trust.

Figure 6. Comparison between a legitimate notification and a fraudulent smishing message.

The phishing pages actively check the visitor’s IP address and block users whose IPs do not fall within the targeted geographic region. This indicates that the site is using IP-based filtering or geofencing controls to restrict access to specific countries or networks.

Figure 7. Only specific IP ranges and devices can access the phishing link, else user access is blocked.

In this step, users are prompted to enter their phone number on the phishing page. However, the input field does not seem to perform any validation checks. Regardless of whether a valid, invalid, or random number is entered, the system proceeds in the same way. After submission, users are redirected to the same fake redemption page.

Figure 9. All phone numbers redirect to a fake redemption page, tricking users into revealing personal information.

Within the webpage, victims are presented with a randomly generated amount of reward points that appear to have already been credited to their account. This creates the impression that they have legitimately qualified for a reward, increasing the likelihood of user engagement.

Figure 10. Victims are required to pick a product to redeem with the points they have.

After selecting a product, victims are redirected to a follow-up page requesting shipping information, such as name, address, and contact number, under the pretext of delivering the reward.

Figure 11. Victims are required to fill in their shipping address.

In the last step, victims are prompted to enter their branking card number and other sensitive details such as the card expiry date and CVV.

Figure 12. Victims are asked to fill in their credit card information on this page.

Victim flow: Failed Parcel Delivery Phishing campaign

While the delivery phase and TTPs are similar, the Failed Parcel Delivery campaign’s operational flow is more direct. Phishing SMSes inform targets of fake failed deliveries which immediately directs victims to the phishing page to update personal and payment information. You can also read about similar scams in more detail here: The Rise of Fake Shipment Scams in MEA.

Inside the Phishing Panel

Further investigation into the backend mechanics of these operations, Group-IB researchers discovered that both the Reward Points Phishing and the Failed Parcel Delivery Phishing setups utilize the exact same type of administrative backend, known as the “Phoenix System” or “不死鳥系統” in Traditional Chinese.

Group-IB identified that this panel is where the threat actor provides credentials to manage Phoenix installation service, which remotely deploys the phishing kit and launches the management dashboard. Within this panel, operators can oversee phishing campaigns, configure traffic filtering rules and monitor harvested credentials. The interface is streamlined and intuitive, incorporating design elements commonly observed in modern phishing management platforms.

Figure 15: The Phoenix management dashboard.

Figure 16: Phishing configuration page.

The administrative console reveals a domain management interface designed for targeted phishing operations, incorporating advanced geofencing and anti-analysis measures. The system is configured with strict IP restrictions, ensuring that the fraudulent content is only accessible to users within a specific region. At the same time, operators can enable “Crawler Interception” to block automated security scanners, while the iOS and Android interception settings require specific user agents to access the phishing content. Furthermore, the platform employs a stealth redirection mechanism that routes unauthorized traffic to custom error pages (such as 404, 403, or 500) or to default system redirects, effectively masking the infrastructure’s malicious intent from non-targeted entities.

Figure 17: Centralized theme management library.

Upon completing the configuration of the phishing kit, an operator can review and manage a diverse array of global targets through a centralized theme management library. The administrative console reveals an organized Phishing-as-a-Service (PhaaS) infrastructure with categories of localized templates by geographic regions, including Asia, Europe, Africa, and LATAM.

Figure 18: Real-time monitor dashboard.

Additionally, the Phoenix system provides a dashboard that allows operators to monitor harvested data in real-time. This administrative console tracks granular victim telemetry, including unique user IDs, device specifications (e.g., iOS or Android), and exfiltrated sensitive information such as full credit card details and personally identifiable information (PII).

A critical feature of this panel is its live interaction capability, which alerts the operator exactly when a victim is navigating an OTP entry page. This enables the threat actor to perform “live-phishing” interventions, such as triggering custom error messages to force the re-entry of credentials or manually prompting for a PIN, effectively bypassing multi-factor authentication (MFA) and ensuring the immediate validation of stolen financial assets.

Behind Phoenix

Beyond the technical capabilities of the panel, Group-IB analysts have also identified the group responsible for distributing and maintaining this phishing kit. The operation is supported by a dedicated sales and customer support team operating through multiple Telegram channels, where users receive onboarding guidance, troubleshooting assistance, and campaign optimization advice. The group provides a full-service ecosystem, offering structured tutorials, real-time Q&A support, and technical debugging assistance.

Figure 19: A Telegram channel selling the Phoenix System phishing kits.

Phoenix operates on a subscription model, charging around $2,000 for annual access (with higher pricing on shorter terms) and ad hoc sales. Fraudsters looking to purchase these kits are directed to communicate with one of many business Telegram accounts.

Further investigation into the Telegram channels also reveal the distribution of numerous source code packages associated with targeted phishing campaigns aimed at various companies worldwide.

Evolution: From “耗子系统” to Phoenix System (不死鳥)

Group-IB investigators further traced the lineage of the modern Phoenix System (不死鳥) back to its earlier (now-defunct) iteration known as “耗子系统” (Mouse System).

Figure 24: 耗子系统 (Mouse System) phishing administration panel.

To verify this connection, Group-IB conducted a side-by-side source code analysis of the Phoenix System and the 耗子系统 (Mouse System).

Figure 25: Phoenix System and Mouse System source code comparison.

• Identical Asset Structure: Both systems share a nearly identical file directory and framework architecture. The way system assets, static files, and admin scripts are organized remains unchanged.
• Script Overlap: The JavaScript logic controlling the administrative dashboard and the core CSS styling in the Phoenix System are direct inheritances from the legacy “Mouse” version.

Conclusion

Phishing-as-a-Service (PhaaS) platforms such as the “Phoenix System” and “Mouse System” are poised for continued growth as they transform smishing tradecraft into a commercially packaged, subscription-based offering. By centralizing infrastructure within a unified backend, the platform supports multi-region and multi-vertical campaign deployment while embedding automation that lowers the technical barrier to entry. Integrated capabilities including traffic filtering, geofencing, and real-time victim session monitoring enable streamlined credential harvesting and live OTP interception at scale. Combined with community-based support channels and ongoing service updates, this model reduces operational complexity and allows campaigns to expand rapidly across geographies with minimal technical expertise.As smishing tactics continue to mature, a combination of Digital Risk Protection, actionable threat intelligence, and user awareness remains essential to reducing exposure and mitigating SMS-based fraud.

Recommendations

For organizations, particularly in financial services, telecommunications and logistics:

• Implement continuous monitoring for SMS-linked brand abuse with a comprehensive Digital Risk Protection solution.
• Track newly registered domains and infrastructure reuse patterns.
• Enable rapid takedown workflows and telecom coordination.
• Integrate an advanced Threat Intelligence solution to identify emerging smishing frameworks early.

For individual users:

• Be cautious of unsolicited SMS messages creating urgency.
• Avoid clicking links in SMS notifications.
• Verify alerts through official apps or websites.
• Never provide sensitive or payment information via SMS links.

Group-IB Fraud Matrix

Indicators of Compromise (IOCs)

Network IOCs

23[.]95[.]166[.]127

38[.]162[.]114[.]0

43[.]133[.]0[.]0

43[.]134[.]0[.]0

43[.]134[.]12[.]32

43[.]134[.]239[.]46

43[.]153[.]0[.]0

43[.]154[.]31[.]214

43[.]156[.]61[.]150

43[.]160[.]192[.]0

43[.]162[.]0[.]0

43[.]163[.]100[.]238

45[.]203[.]220[.]0

47[.]80[.]0[.]0

47[.]80[.]64[.]106

47[.]80[.]70[.]114

47[.]80[.]79[.]203

8[.]212[.]128[.]102

8[.]220[.]130[.]133

8[.]220[.]190[.]2

101[.]32[.]186[.]29

154[.]91[.]90[.]0

156[.]245[.]145[.]174

156[.]245[.]146[.]210

DISCLAIMER: All technical information, including malware analysis, indicators of compromise and infrastructure details provided in this publication, is shared solely for defensive cybersecurity and research purposes. Group-IB does not endorse or permit any unauthorized or offensive use of the information contained herein. The data and conclusions represent Group-IB’s analytical assessment based on available evidence and are intended to help organizations detect, prevent, and respond to cyber threats.

Group-IB expressly disclaims liability for any misuse of the information provided. Organizations and readers are encouraged to apply this intelligence responsibly and in compliance with all applicable laws and regulations.

This blog may reference legitimate third-party services such as Telegram and others, solely to illustrate cases where threat actors have abused or misused these platforms.

This material is provided for informational purposes, prepared by Group-IB as part of its own analytical investigation, and reflects recently identified threat activity.

All trademarks referenced herein are the property of their respective owners and are used solely for informational purposes, without any implication of affiliation or sponsorship.