This is a sophisticated smishing and phishing operation active since the second half of 2025 that impersonates over 267 brands across 72 countries, with a concentration in Latin America. It generated 4,389 phishing domains, with Mexico heavily targeted. The campaign primarily targets telecommunications, financial services, and consumer rewards sectors. It uses fake Cloudflare error 524 pages as decoys, revealing malicious content selectively based on geofencing and mobile device criteria. Data exfiltration occurs through encrypted WebSocket channels using binary encoded payloads. The infrastructure is partially hosted on Tencent Cloud and Alibaba US servers, fronted by Cloudflare to mask hosting IPs. The attack chain involves SMS lures leading to progressive credential harvesting and theft of complete credit card details including CVV codes.

The campaign results in credential theft and financial fraud through the capture of complete credit card details, including CVV codes. It affects multiple sectors, predominantly telecommunications and financial services, across at least 72 countries with a strong focus on Latin America. The use of decoy error pages and selective targeting increases the likelihood of successful victim engagement and evasion of detection.

As this is a social engineering campaign rather than a software vulnerability, no patch or official fix exists. Organizations should focus on user awareness training about smishing and phishing risks, especially regarding SMS messages impersonating trusted brands. Monitoring for and blocking known phishing domains and IP indicators associated with this campaign can help reduce exposure. The vendor advisory does not indicate any automated mitigation or patch. Defensive measures should be tailored to detect and respond to phishing attempts and credential harvesting activities.