Exposing a Smishing campaign across 19 countries: 1,628 malicious URLs tied to a single 128-char HTML fingerprint
A large-scale smishing campaign has been exposed involving 1,628 malicious URLs linked by a unique 128-character HTML fingerprint. This campaign spans 19 countries and uses infrastructure distributed across multiple cloud providers including Tencent Cloud, Alibaba Cloud, Cloudflare anycast, and ALEXHOST Moldova. The campaign targets users via SMS phishing (smishing) with URLs designed to deceive recipients. The detection artifact is a consistent metadata hash found on all phishing pages, facilitating identification. There is no information about active exploitation or patches since this is a threat campaign rather than a software vulnerability.
AI Analysis
Technical Summary
This threat describes a smishing campaign distributing 1,628 malicious URLs across 19 countries. The URLs share a unique 128-character HTML fingerprint, allowing correlation of the campaign infrastructure. The backend IPs are hosted on Tencent Cloud, Alibaba Cloud, Cloudflare anycast, and ALEXHOST Moldova, indicating a distributed infrastructure. The campaign is identified through a metadata hash present on all phishing pages. The source information comes from a Reddit post linking to a detailed blog report by Hunt.io. No CVE or patch information is associated since this is a phishing campaign rather than a software vulnerability.
Potential Impact
The campaign potentially exposes users in 19 countries to SMS phishing attacks that could lead to credential theft, fraud, or other social engineering impacts. The distributed infrastructure across multiple cloud providers complicates takedown efforts. There is no direct indication of exploitation in the wild beyond the campaign's existence. The impact is primarily on end users targeted by smishing messages and organizations whose users may be affected.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign. Mitigation should focus on user awareness to recognize smishing attempts and blocking or blacklisting the identified malicious URLs using the 128-character HTML fingerprint as a detection artifact. Network defenders can leverage the metadata hash to detect and filter related phishing pages. Monitoring and collaboration with cloud providers hosting the infrastructure may assist in takedown efforts. Since no vendor advisory or patch is available, follow updates from threat intelligence sources for further guidance.
Exposing a Smishing campaign across 19 countries: 1,628 malicious URLs tied to a single 128-char HTML fingerprint
Description
A large-scale smishing campaign has been exposed involving 1,628 malicious URLs linked by a unique 128-character HTML fingerprint. This campaign spans 19 countries and uses infrastructure distributed across multiple cloud providers including Tencent Cloud, Alibaba Cloud, Cloudflare anycast, and ALEXHOST Moldova. The campaign targets users via SMS phishing (smishing) with URLs designed to deceive recipients. The detection artifact is a consistent metadata hash found on all phishing pages, facilitating identification. There is no information about active exploitation or patches since this is a threat campaign rather than a software vulnerability.
Reddit Discussion
1,628 phishing URLs across 33 backend IPs mapped from a single domain pivot. Infrastructure spans Tencent Cloud (15 IPs), Alibaba Cloud (3 IPs), Cloudflare anycast (14 IPs), and ALEXHOST Moldova (2 IPs).
Detection artifact: 128-character metadata hash present in every phishing page. HuntSQL queries included in the report below:
https://hunt.io/blog/massive-smishing-campaign-governments-postal-telecoms
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat describes a smishing campaign distributing 1,628 malicious URLs across 19 countries. The URLs share a unique 128-character HTML fingerprint, allowing correlation of the campaign infrastructure. The backend IPs are hosted on Tencent Cloud, Alibaba Cloud, Cloudflare anycast, and ALEXHOST Moldova, indicating a distributed infrastructure. The campaign is identified through a metadata hash present on all phishing pages. The source information comes from a Reddit post linking to a detailed blog report by Hunt.io. No CVE or patch information is associated since this is a phishing campaign rather than a software vulnerability.
Potential Impact
The campaign potentially exposes users in 19 countries to SMS phishing attacks that could lead to credential theft, fraud, or other social engineering impacts. The distributed infrastructure across multiple cloud providers complicates takedown efforts. There is no direct indication of exploitation in the wild beyond the campaign's existence. The impact is primarily on end users targeted by smishing messages and organizations whose users may be affected.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign. Mitigation should focus on user awareness to recognize smishing attempts and blocking or blacklisting the identified malicious URLs using the 128-character HTML fingerprint as a detection artifact. Network defenders can leverage the metadata hash to detect and filter related phishing pages. Monitoring and collaboration with cloud providers hosting the infrastructure may assist in takedown efforts. Since no vendor advisory or patch is available, follow updates from threat intelligence sources for further guidance.
Technical Details
- Source Type
- Subreddit
- blueteamsec+AskNetsec+Information_Security
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:campaign","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["campaign"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a171959e29bf47b50d00703
Added to database: 5/27/2026, 4:18:33 PM
Last enriched: 5/27/2026, 4:18:46 PM
Last updated: 5/27/2026, 8:50:17 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.