{
  "name": "Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns",
  "slug": "phoenix-rising-exposing-the-phaas-kit-behind-global-mass-phishing-campaigns",
  "description": "Since January 2025, researchers identified over 2,500 phishing domains targeting more than 70 organizations across financial services, telecommunications, and logistics sectors globally. Two dominant smishing campaigns were discovered: Reward Points phishing impersonating banks and telecom providers, and Failed Parcel Delivery phishing mimicking logistics companies. Despite different themes, both campaigns share infrastructure and utilize the Phoenix System administrative panel, a successor to the Mouse System. This Phishing-as-a-Service platform offers real-time victim monitoring, geofencing, IP-based filtering, and live-phishing interventions to bypass multi-factor authentication. The platform is distributed via Telegram channels for approximately $2,000 annually, providing threat actors with pre-built templates, traffic filtering mechanisms, and real-time victim management dashboards. Attackers potentially leverage fake Base Transceiver Stations to bypass carrier-level filtering and deliver messages app...",
  "published": "2026-04-29T10:31:58+00:00",
  "created_at": "2026-04-29T10:31:58+00:00",
  "modified_at": "2026-05-04T08:59:28+00:00",
  "created_at_opencti": "2026-04-29T10:31:58+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-29",
    "bts injection",
    "credential harvesting",
    "financial fraud",
    "mfa bypass",
    "phaas",
    "phoenix system",
    "smishing"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "43.134.239.46"
      },
      {
        "id": "",
        "name": "43.154.31.214"
      },
      {
        "id": "",
        "name": "43.156.61.150"
      },
      {
        "id": "",
        "name": "47.80.79.203"
      },
      {
        "id": "",
        "name": "23.95.166.127"
      },
      {
        "id": "",
        "name": "47.80.64.106"
      },
      {
        "id": "",
        "name": "8.220.130.133"
      },
      {
        "id": "",
        "name": "156.245.145.174"
      },
      {
        "id": "",
        "name": "156.245.146.210"
      },
      {
        "id": "",
        "name": "43.163.100.238"
      },
      {
        "id": "",
        "name": "101.32.186.29"
      },
      {
        "id": "",
        "name": "8.220.190.2"
      },
      {
        "id": "",
        "name": "47.80.70.114"
      },
      {
        "id": "",
        "name": "43.134.12.32"
      },
      {
        "id": "",
        "name": "8.212.128.102"
      },
      {
        "id": "",
        "name": "http://43.133.0.0"
      },
      {
        "id": "",
        "name": "http://43.153.0.0"
      },
      {
        "id": "",
        "name": "http://38.162.114.0"
      },
      {
        "id": "",
        "name": "http://43.134.0.0"
      },
      {
        "id": "",
        "name": "http://45.203.220.0"
      },
      {
        "id": "",
        "name": "http://47.80.0.0"
      },
      {
        "id": "",
        "name": "http://43.160.192.0"
      },
      {
        "id": "",
        "name": "http://43.162.0.0"
      },
      {
        "id": "",
        "name": "http://154.91.90.0"
      }
    ],
    "attack_patterns": [
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "b7c6c1ad-f183-4128-8427-3891029c73dc",
        "name": "T1539"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Telecommunications"
      },
      {
        "id": "",
        "name": "Technologies"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69f1fa3e73a0897558593b04",
    "https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/"
  ]
}