Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns
Since January 2025, a global phishing campaign leveraging the Phoenix System Phishing-as-a-Service (PhaaS) platform has targeted over 70 organizations across financial services, telecommunications, and logistics sectors. The campaign includes two main smishing themes: Reward Points phishing impersonating banks and telecom providers, and Failed Parcel Delivery phishing mimicking logistics companies. The Phoenix System offers advanced features such as real-time victim monitoring, geofencing, IP filtering, and live phishing interventions to bypass multi-factor authentication. Distributed via Telegram channels for about $2,000 annually, it provides threat actors with pre-built templates and traffic filtering to optimize attacks. Attackers may also use fake Base Transceiver Stations to bypass carrier-level message filtering. No official patches or fixes exist as this is a criminal service platform rather than a software vulnerability. The campaign's severity is assessed as medium based on its scope and capabilities.
AI Analysis
Technical Summary
The Phoenix Rising campaign involves a Phishing-as-a-Service platform called the Phoenix System, which facilitates large-scale smishing attacks targeting multiple industries globally. The platform enables attackers to conduct sophisticated phishing campaigns with features like real-time victim tracking, geofencing, IP-based filtering, and live interventions to circumvent multi-factor authentication protections. It is sold via Telegram channels and includes pre-built phishing templates and infrastructure sharing. The campaign themes focus on financial fraud through Reward Points phishing and logistics-related Failed Parcel Delivery phishing. Attackers potentially use fake Base Transceiver Stations to evade carrier filtering mechanisms. This is a criminal infrastructure and service rather than a software vulnerability, and no patches apply.
Potential Impact
The campaign has targeted over 70 organizations worldwide, primarily in financial services, telecommunications, and logistics sectors, aiming to harvest credentials and bypass multi-factor authentication. The use of advanced PhaaS features increases the effectiveness and scale of phishing attacks, potentially leading to significant financial fraud and credential compromise. The ability to bypass MFA and carrier filtering enhances the threat's potency. However, no direct software vulnerability is exploited, and no known exploits in the wild are reported beyond the phishing campaigns themselves.
Mitigation Recommendations
As this threat involves a criminal phishing service rather than a software vulnerability, no patches or official fixes are applicable. Organizations should focus on user awareness training specific to smishing, implement strong anti-phishing controls, and monitor for phishing domains and related infrastructure. Multi-factor authentication remains important but should be supplemented with additional detection and prevention mechanisms given the platform's ability to bypass MFA. Network and carrier-level filtering improvements may help but attackers' use of fake Base Transceiver Stations complicates this. Continuous threat intelligence monitoring for emerging phishing domains and campaigns is recommended.
Indicators of Compromise
- ip: 43.154.31.214
- ip: 43.156.61.150
- ip: 8.220.190.2
- ip: 101.32.186.29
- ip: 156.245.145.174
- ip: 156.245.145.174
- ip: 156.245.146.210
- ip: 156.245.146.210
- ip: 23.95.166.127
- ip: 43.134.12.32
- ip: 43.134.239.46
- ip: 43.163.100.238
- ip: 47.80.64.106
- ip: 47.80.70.114
- ip: 47.80.79.203
- ip: 8.212.128.102
- ip: 8.220.130.133
- url: http://154.91.90.0
- url: http://38.162.114.0
- url: http://43.133.0.0
- url: http://43.134.0.0
- url: http://43.153.0.0
- url: http://43.160.192.0
- url: http://43.162.0.0
- url: http://45.203.220.0
- url: http://47.80.0.0
Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns
Description
Since January 2025, a global phishing campaign leveraging the Phoenix System Phishing-as-a-Service (PhaaS) platform has targeted over 70 organizations across financial services, telecommunications, and logistics sectors. The campaign includes two main smishing themes: Reward Points phishing impersonating banks and telecom providers, and Failed Parcel Delivery phishing mimicking logistics companies. The Phoenix System offers advanced features such as real-time victim monitoring, geofencing, IP filtering, and live phishing interventions to bypass multi-factor authentication. Distributed via Telegram channels for about $2,000 annually, it provides threat actors with pre-built templates and traffic filtering to optimize attacks. Attackers may also use fake Base Transceiver Stations to bypass carrier-level message filtering. No official patches or fixes exist as this is a criminal service platform rather than a software vulnerability. The campaign's severity is assessed as medium based on its scope and capabilities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Phoenix Rising campaign involves a Phishing-as-a-Service platform called the Phoenix System, which facilitates large-scale smishing attacks targeting multiple industries globally. The platform enables attackers to conduct sophisticated phishing campaigns with features like real-time victim tracking, geofencing, IP-based filtering, and live interventions to circumvent multi-factor authentication protections. It is sold via Telegram channels and includes pre-built phishing templates and infrastructure sharing. The campaign themes focus on financial fraud through Reward Points phishing and logistics-related Failed Parcel Delivery phishing. Attackers potentially use fake Base Transceiver Stations to evade carrier filtering mechanisms. This is a criminal infrastructure and service rather than a software vulnerability, and no patches apply.
Potential Impact
The campaign has targeted over 70 organizations worldwide, primarily in financial services, telecommunications, and logistics sectors, aiming to harvest credentials and bypass multi-factor authentication. The use of advanced PhaaS features increases the effectiveness and scale of phishing attacks, potentially leading to significant financial fraud and credential compromise. The ability to bypass MFA and carrier filtering enhances the threat's potency. However, no direct software vulnerability is exploited, and no known exploits in the wild are reported beyond the phishing campaigns themselves.
Mitigation Recommendations
As this threat involves a criminal phishing service rather than a software vulnerability, no patches or official fixes are applicable. Organizations should focus on user awareness training specific to smishing, implement strong anti-phishing controls, and monitor for phishing domains and related infrastructure. Multi-factor authentication remains important but should be supplemented with additional detection and prevention mechanisms given the platform's ability to bypass MFA. Network and carrier-level filtering improvements may help but attackers' use of fake Base Transceiver Stations complicates this. Continuous threat intelligence monitoring for emerging phishing domains and campaigns is recommended.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/"]
- Adversary
- null
- Pulse Id
- 69f1fa3e73a0897558593b04
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip43.154.31.214 | CC=HK ASN=AS132203 tencent building kejizhongyi avenue | |
ip43.156.61.150 | CC=SG ASN=AS132203 tencent building kejizhongyi avenue | |
ip8.220.190.2 | CC=SG ASN=ASNone | |
ip101.32.186.29 | CC=HK ASN=AS132203 tencent building kejizhongyi avenue | |
ip156.245.145.174 | CC=HK ASN=AS134548 dxtl tseung kwan o service | |
ip156.245.145.174 | — | |
ip156.245.146.210 | — | |
ip156.245.146.210 | CC=HK ASN=AS134548 dxtl tseung kwan o service | |
ip23.95.166.127 | CC=US ASN=AS36352 colocrossing | |
ip43.134.12.32 | CC=SG ASN=AS132203 tencent building kejizhongyi avenue | |
ip43.134.239.46 | CC=SG ASN=AS132203 tencent building kejizhongyi avenue | |
ip43.163.100.238 | CC=SG ASN=ASNone | |
ip47.80.64.106 | CC=US ASN=ASNone | |
ip47.80.70.114 | CC=US ASN=ASNone | |
ip47.80.79.203 | CC=US ASN=ASNone | |
ip8.212.128.102 | CC=SG ASN=AS45102 alibaba (us) technology co. ltd. | |
ip8.220.130.133 | CC=SG ASN=ASNone |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://154.91.90.0 | — | |
urlhttp://38.162.114.0 | — | |
urlhttp://43.133.0.0 | — | |
urlhttp://43.134.0.0 | — | |
urlhttp://43.153.0.0 | — | |
urlhttp://43.160.192.0 | — | |
urlhttp://43.162.0.0 | — | |
urlhttp://45.203.220.0 | — | |
urlhttp://47.80.0.0 | — |
Threat ID: 69f876a6cbff5d861004bd29
Added to database: 5/4/2026, 10:36:22 AM
Last enriched: 5/4/2026, 10:51:21 AM
Last updated: 5/4/2026, 1:40:06 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.