Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted
A coordinated smishing operation spanning 19 countries across Europe, the Americas, and the Caucasus has been exposed, originating from fraudulent SMS messages impersonating Romania's government payment portal Ghișeul.ro. Investigation revealed 1,628 malicious URLs linked by a single 128-character campaign identifier, targeting government portals, traffic police departments, postal services including DPD and SEUR, tax authorities, and telecommunications providers like T-Mobile and Vodafone. The infrastructure utilizes 32 backend IP addresses distributed across Tencent Cloud, Alibaba Cloud, Cloudflare CDN, and ALEXHOST Moldova. Threat actors employ two distinct phishing templates: a Vue.js single-page application and a Bootstrap-based clone, executing a four-stage credential harvesting process that collects complete payment card details through fabricated traffic fines, toll payments, and delivery notifications.
AI Analysis
Technical Summary
This smishing campaign uses fraudulent SMS messages impersonating Romania's government payment portal to distribute 1,628 malicious URLs linked by a unique campaign identifier. The targets include government and public service entities such as traffic police, postal services (DPD, SEUR), tax authorities, and telecom companies (T-Mobile, Vodafone). The phishing infrastructure operates across 32 backend IPs hosted on Tencent Cloud, Alibaba Cloud, Cloudflare CDN, and ALEXHOST Moldova. Two phishing templates are used: a Vue.js single-page app and a Bootstrap-based clone. The attack involves a four-stage credential harvesting workflow designed to collect complete payment card information through fake traffic fines, toll payments, and delivery notifications. This campaign leverages typosquatting and multiple adversary techniques but does not exploit a software vulnerability.
Potential Impact
The campaign aims to steal sensitive payment card credentials and personal information from victims by impersonating trusted government and service portals. Successful exploitation results in financial fraud and identity theft. The broad targeting across multiple countries and sectors increases the potential scale of impact. However, this is a social engineering attack rather than a software vulnerability or exploit. There are no known exploits in the wild beyond the phishing campaign itself.
Mitigation Recommendations
As this is a phishing and smishing campaign, no software patch is applicable. Organizations and users should be made aware of the fraudulent SMS messages and the impersonation of government portals. User education to recognize smishing attempts and avoid clicking suspicious links is critical. Monitoring and blocking known malicious URLs and IP addresses associated with this campaign can reduce exposure. Vendors hosting the infrastructure should be notified to take down malicious resources. No official fix or vendor advisory is available; remediation relies on user awareness and network defenses.
Indicators of Compromise
- domain: mvrx.lat
- domain: ghiseul.autos
- domain: mvri.lat
- domain: dpde.lat
- domain: e-uprava.gov-si.shop
- domain: gove.lat
- domain: govh.lat
- domain: govj.lat
- domain: govk.lat
- domain: govl.lat
- hash: 5756505bc94149dda328a2721561cab6
- url: http://ghisaul.lat/ro
- url: http://ghiseul-ro.cyou/
- url: http://ghiseul-ro.sbs/
- url: http://ghiseul-ro.shop/
- url: http://ghiseul.cfd/pay
- url: http://ghiseul.eu.cc/pay
- url: http://www.ghiseul.ro/ghiseul/public/
- url: http://www.ghiseul.ro/ghiseul/public/css/bootstrap-theme.css
- url: http://www.ghiseul.ro/ghiseul/public/css/bootstrap.min.css
- url: http://www.ghiseul.ro/ghiseul/public/css/font-awesome.min.css
- url: http://www.ghiseul.ro/ghiseul/public/css/jquery-ui.structure.min.css
- url: http://www.ghiseul.ro/ghiseul/public/css/simple-line-icons.css
- url: https://ghiseal.lat/ro/
- url: https://ghiseal.lat/ro/#/index
- url: https://ghiseul.autos/ro/
- url: https://ghiseul.cyou/pay
- url: https://ghisiul.lat/ro/
- url: https://ghizeul.lat/ro/
- url: https://www.ghiseul-ro.bond/ghiseul/public/
- url: https://www.ghiseul-ro.cfd/ghiseul/public/
- url: https://www.ghiseul.govro.one/ghiseul/public/
- url: https://www.ghiseul.ro/ghiseul/public/
- url: https://www.ghiseulro.cyou/ro/
- domain: dpd-lv.top
- domain: dpdlv.bond
- domain: dsvag.sbs
- domain: dsvav.cfd
- domain: dsvcv.cfd
- domain: dsvxk.cyou
- domain: e-csddlv.top
- domain: fanveris.cyou
- domain: ghisaul.lat
- domain: ghiseal.lat
- domain: ghiseul-ro.cyou
- domain: ghiseul-ro.sbs
- domain: ghiseul-ro.shop
- domain: ghiseul.cfd
- domain: ghiseul.cyou
- domain: ghisiul.lat
- domain: ghizeul.lat
- domain: gobal-store-hub.shop
- domain: gov-si.cam
- domain: gov-si.qpon
- domain: gov-si.sbs
- domain: gov-si.xin
- domain: govo.lat
- domain: govsi.bar
- domain: mvr-gov-mk.cyou
- domain: mvrbg.ink
- domain: mvrbg.life
- domain: mvrbg.sbs
- domain: mvrcc.lat
- domain: roadpolice-am.icu
- domain: roadpolice-am.shop
- domain: roadspolice.lat
- domain: seur-bcdef.cc
- domain: seur-cztwp.club
- domain: seur-fghij.org
- domain: seur-fqlap.cyou
- domain: seur-hijkl.cc
- domain: seur-hxrz.org
- domain: seur-jwqec.link
- domain: seur-rmvxq.club
- domain: seur-rxkmd.cyou
- domain: seur-yzabc.com
- domain: seur-zkryw.cloud
- domain: tesco-redeem-check.bond
- domain: vodafaone.shop
- domain: worldmartonline.com
- domain: dpd.ie-com.vip
- domain: e.csdd.govlv.cam
- domain: hoiatustrahv.politsei.gov-ee.bond
- domain: mvr.govmk.cam
- domain: mvr.govmk.one
- domain: sumin.lrv-lt.shop
- domain: www.ghiseul-ro.bond
- domain: www.ghiseul-ro.cfd
- domain: www.ghiseul.govro.one
- domain: www.ghiseulro.cyou
Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted
Description
A coordinated smishing operation spanning 19 countries across Europe, the Americas, and the Caucasus has been exposed, originating from fraudulent SMS messages impersonating Romania's government payment portal Ghișeul.ro. Investigation revealed 1,628 malicious URLs linked by a single 128-character campaign identifier, targeting government portals, traffic police departments, postal services including DPD and SEUR, tax authorities, and telecommunications providers like T-Mobile and Vodafone. The infrastructure utilizes 32 backend IP addresses distributed across Tencent Cloud, Alibaba Cloud, Cloudflare CDN, and ALEXHOST Moldova. Threat actors employ two distinct phishing templates: a Vue.js single-page application and a Bootstrap-based clone, executing a four-stage credential harvesting process that collects complete payment card details through fabricated traffic fines, toll payments, and delivery notifications.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This smishing campaign uses fraudulent SMS messages impersonating Romania's government payment portal to distribute 1,628 malicious URLs linked by a unique campaign identifier. The targets include government and public service entities such as traffic police, postal services (DPD, SEUR), tax authorities, and telecom companies (T-Mobile, Vodafone). The phishing infrastructure operates across 32 backend IPs hosted on Tencent Cloud, Alibaba Cloud, Cloudflare CDN, and ALEXHOST Moldova. Two phishing templates are used: a Vue.js single-page app and a Bootstrap-based clone. The attack involves a four-stage credential harvesting workflow designed to collect complete payment card information through fake traffic fines, toll payments, and delivery notifications. This campaign leverages typosquatting and multiple adversary techniques but does not exploit a software vulnerability.
Potential Impact
The campaign aims to steal sensitive payment card credentials and personal information from victims by impersonating trusted government and service portals. Successful exploitation results in financial fraud and identity theft. The broad targeting across multiple countries and sectors increases the potential scale of impact. However, this is a social engineering attack rather than a software vulnerability or exploit. There are no known exploits in the wild beyond the phishing campaign itself.
Mitigation Recommendations
As this is a phishing and smishing campaign, no software patch is applicable. Organizations and users should be made aware of the fraudulent SMS messages and the impersonation of government portals. User education to recognize smishing attempts and avoid clicking suspicious links is critical. Monitoring and blocking known malicious URLs and IP addresses associated with this campaign can reduce exposure. Vendors hosting the infrastructure should be notified to take down malicious resources. No official fix or vendor advisory is available; remediation relies on user awareness and network defenses.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://hunt.io/blog/massive-smishing-campaign-governments-postal-telecoms"]
- Adversary
- null
- Pulse Id
- 6a17527240dde65694eed30e
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainmvrx.lat | — | |
domainghiseul.autos | — | |
domainmvri.lat | — | |
domaindpde.lat | — | |
domaine-uprava.gov-si.shop | — | |
domaingove.lat | — | |
domaingovh.lat | — | |
domaingovj.lat | — | |
domaingovk.lat | — | |
domaingovl.lat | — | |
domaindpd-lv.top | — | |
domaindpdlv.bond | — | |
domaindsvag.sbs | — | |
domaindsvav.cfd | — | |
domaindsvcv.cfd | — | |
domaindsvxk.cyou | — | |
domaine-csddlv.top | — | |
domainfanveris.cyou | — | |
domainghisaul.lat | — | |
domainghiseal.lat | — | |
domainghiseul-ro.cyou | — | |
domainghiseul-ro.sbs | — | |
domainghiseul-ro.shop | — | |
domainghiseul.cfd | — | |
domainghiseul.cyou | — | |
domainghisiul.lat | — | |
domainghizeul.lat | — | |
domaingobal-store-hub.shop | — | |
domaingov-si.cam | — | |
domaingov-si.qpon | — | |
domaingov-si.sbs | — | |
domaingov-si.xin | — | |
domaingovo.lat | — | |
domaingovsi.bar | — | |
domainmvr-gov-mk.cyou | — | |
domainmvrbg.ink | — | |
domainmvrbg.life | — | |
domainmvrbg.sbs | — | |
domainmvrcc.lat | — | |
domainroadpolice-am.icu | — | |
domainroadpolice-am.shop | — | |
domainroadspolice.lat | — | |
domainseur-bcdef.cc | — | |
domainseur-cztwp.club | — | |
domainseur-fghij.org | — | |
domainseur-fqlap.cyou | — | |
domainseur-hijkl.cc | — | |
domainseur-hxrz.org | — | |
domainseur-jwqec.link | — | |
domainseur-rmvxq.club | — | |
domainseur-rxkmd.cyou | — | |
domainseur-yzabc.com | — | |
domainseur-zkryw.cloud | — | |
domaintesco-redeem-check.bond | — | |
domainvodafaone.shop | — | |
domainworldmartonline.com | — | |
domaindpd.ie-com.vip | — | |
domaine.csdd.govlv.cam | — | |
domainhoiatustrahv.politsei.gov-ee.bond | — | |
domainmvr.govmk.cam | — | |
domainmvr.govmk.one | — | |
domainsumin.lrv-lt.shop | — | |
domainwww.ghiseul-ro.bond | — | |
domainwww.ghiseul-ro.cfd | — | |
domainwww.ghiseul.govro.one | — | |
domainwww.ghiseulro.cyou | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash5756505bc94149dda328a2721561cab6 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://ghisaul.lat/ro | — | |
urlhttp://ghiseul-ro.cyou/ | — | |
urlhttp://ghiseul-ro.sbs/ | — | |
urlhttp://ghiseul-ro.shop/ | — | |
urlhttp://ghiseul.cfd/pay | — | |
urlhttp://ghiseul.eu.cc/pay | — | |
urlhttp://www.ghiseul.ro/ghiseul/public/ | — | |
urlhttp://www.ghiseul.ro/ghiseul/public/css/bootstrap-theme.css | — | |
urlhttp://www.ghiseul.ro/ghiseul/public/css/bootstrap.min.css | — | |
urlhttp://www.ghiseul.ro/ghiseul/public/css/font-awesome.min.css | — | |
urlhttp://www.ghiseul.ro/ghiseul/public/css/jquery-ui.structure.min.css | — | |
urlhttp://www.ghiseul.ro/ghiseul/public/css/simple-line-icons.css | — | |
urlhttps://ghiseal.lat/ro/ | — | |
urlhttps://ghiseal.lat/ro/#/index | — | |
urlhttps://ghiseul.autos/ro/ | — | |
urlhttps://ghiseul.cyou/pay | — | |
urlhttps://ghisiul.lat/ro/ | — | |
urlhttps://ghizeul.lat/ro/ | — | |
urlhttps://www.ghiseul-ro.bond/ghiseul/public/ | — | |
urlhttps://www.ghiseul-ro.cfd/ghiseul/public/ | — | |
urlhttps://www.ghiseul.govro.one/ghiseul/public/ | — | |
urlhttps://www.ghiseul.ro/ghiseul/public/ | — | |
urlhttps://www.ghiseulro.cyou/ro/ | — |
Threat ID: 6a18604ce29bf47b500b2534
Added to database: 5/28/2026, 3:33:32 PM
Last enriched: 5/28/2026, 3:50:49 PM
Last updated: 5/29/2026, 6:32:16 PM
Views: 27
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.