Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns
Since January 2025, researchers identified over 2,500 phishing domains targeting more than 70 organizations across financial services, telecommunications, and logistics sectors globally. Two dominant smishing campaigns were discovered: Reward Points phishing impersonating banks and telecom providers, and Failed Parcel Delivery phishing mimicking logistics companies. Despite different themes, both campaigns share infrastructure and utilize the Phoenix System administrative panel, a successor to the Mouse System. This Phishing-as-a-Service platform offers real-time victim monitoring, geofencing, IP-based filtering, and live-phishing interventions to bypass multi-factor authentication. The platform is distributed via Telegram channels for approximately $2,000 annually, providing threat actors with pre-built templates, traffic filtering mechanisms, and real-time victim management dashboards. Attackers potentially leverage fake Base Transceiver Stations to bypass carrier-level filtering and deliver messages app...
AI Analysis
Technical Summary
The Phoenix Rising campaign involves a Phishing-as-a-Service platform called the Phoenix System, which facilitates large-scale smishing attacks targeting multiple industries globally. The platform enables attackers to conduct sophisticated phishing campaigns with features like real-time victim tracking, geofencing, IP-based filtering, and live interventions to circumvent multi-factor authentication protections. It is sold via Telegram channels and includes pre-built phishing templates and infrastructure sharing. The campaign themes focus on financial fraud through Reward Points phishing and logistics-related Failed Parcel Delivery phishing. Attackers potentially use fake Base Transceiver Stations to evade carrier filtering mechanisms. This is a criminal infrastructure and service rather than a software vulnerability, and no patches apply.
Potential Impact
The campaign has targeted over 70 organizations worldwide, primarily in financial services, telecommunications, and logistics sectors, aiming to harvest credentials and bypass multi-factor authentication. The use of advanced PhaaS features increases the effectiveness and scale of phishing attacks, potentially leading to significant financial fraud and credential compromise. The ability to bypass MFA and carrier filtering enhances the threat's potency. However, no direct software vulnerability is exploited, and no known exploits in the wild are reported beyond the phishing campaigns themselves.
Mitigation Recommendations
As this threat involves a criminal phishing service rather than a software vulnerability, no patches or official fixes are applicable. Organizations should focus on user awareness training specific to smishing, implement strong anti-phishing controls, and monitor for phishing domains and related infrastructure. Multi-factor authentication remains important but should be supplemented with additional detection and prevention mechanisms given the platform's ability to bypass MFA. Network and carrier-level filtering improvements may help but attackers' use of fake Base Transceiver Stations complicates this. Continuous threat intelligence monitoring for emerging phishing domains and campaigns is recommended.
Indicators of Compromise
- ip: 43.154.31.214
- ip: 43.156.61.150
- ip: 8.220.190.2
- ip: 101.32.186.29
- ip: 156.245.145.174
- ip: 156.245.145.174
- ip: 156.245.146.210
- ip: 156.245.146.210
- ip: 23.95.166.127
- ip: 43.134.12.32
- ip: 43.134.239.46
- ip: 43.163.100.238
- ip: 47.80.64.106
- ip: 47.80.70.114
- ip: 47.80.79.203
- ip: 8.212.128.102
- ip: 8.220.130.133
- url: http://154.91.90.0
- url: http://38.162.114.0
- url: http://43.133.0.0
- url: http://43.134.0.0
- url: http://43.153.0.0
- url: http://43.160.192.0
- url: http://43.162.0.0
- url: http://45.203.220.0
- url: http://47.80.0.0
Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns
Description
Since January 2025, researchers identified over 2,500 phishing domains targeting more than 70 organizations across financial services, telecommunications, and logistics sectors globally. Two dominant smishing campaigns were discovered: Reward Points phishing impersonating banks and telecom providers, and Failed Parcel Delivery phishing mimicking logistics companies. Despite different themes, both campaigns share infrastructure and utilize the Phoenix System administrative panel, a successor to the Mouse System. This Phishing-as-a-Service platform offers real-time victim monitoring, geofencing, IP-based filtering, and live-phishing interventions to bypass multi-factor authentication. The platform is distributed via Telegram channels for approximately $2,000 annually, providing threat actors with pre-built templates, traffic filtering mechanisms, and real-time victim management dashboards. Attackers potentially leverage fake Base Transceiver Stations to bypass carrier-level filtering and deliver messages app...
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Phoenix Rising campaign involves a Phishing-as-a-Service platform called the Phoenix System, which facilitates large-scale smishing attacks targeting multiple industries globally. The platform enables attackers to conduct sophisticated phishing campaigns with features like real-time victim tracking, geofencing, IP-based filtering, and live interventions to circumvent multi-factor authentication protections. It is sold via Telegram channels and includes pre-built phishing templates and infrastructure sharing. The campaign themes focus on financial fraud through Reward Points phishing and logistics-related Failed Parcel Delivery phishing. Attackers potentially use fake Base Transceiver Stations to evade carrier filtering mechanisms. This is a criminal infrastructure and service rather than a software vulnerability, and no patches apply.
Potential Impact
The campaign has targeted over 70 organizations worldwide, primarily in financial services, telecommunications, and logistics sectors, aiming to harvest credentials and bypass multi-factor authentication. The use of advanced PhaaS features increases the effectiveness and scale of phishing attacks, potentially leading to significant financial fraud and credential compromise. The ability to bypass MFA and carrier filtering enhances the threat's potency. However, no direct software vulnerability is exploited, and no known exploits in the wild are reported beyond the phishing campaigns themselves.
Mitigation Recommendations
As this threat involves a criminal phishing service rather than a software vulnerability, no patches or official fixes are applicable. Organizations should focus on user awareness training specific to smishing, implement strong anti-phishing controls, and monitor for phishing domains and related infrastructure. Multi-factor authentication remains important but should be supplemented with additional detection and prevention mechanisms given the platform's ability to bypass MFA. Network and carrier-level filtering improvements may help but attackers' use of fake Base Transceiver Stations complicates this. Continuous threat intelligence monitoring for emerging phishing domains and campaigns is recommended.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/"]
- Adversary
- null
- Pulse Id
- 69f1fa3e73a0897558593b04
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip43.154.31.214 | CC=HK ASN=AS132203 tencent building kejizhongyi avenue | |
ip43.156.61.150 | CC=SG ASN=AS132203 tencent building kejizhongyi avenue | |
ip8.220.190.2 | CC=SG ASN=ASNone | |
ip101.32.186.29 | CC=HK ASN=AS132203 tencent building kejizhongyi avenue | |
ip156.245.145.174 | CC=HK ASN=AS134548 dxtl tseung kwan o service | |
ip156.245.145.174 | — | |
ip156.245.146.210 | — | |
ip156.245.146.210 | CC=HK ASN=AS134548 dxtl tseung kwan o service | |
ip23.95.166.127 | CC=US ASN=AS36352 colocrossing | |
ip43.134.12.32 | CC=SG ASN=AS132203 tencent building kejizhongyi avenue | |
ip43.134.239.46 | CC=SG ASN=AS132203 tencent building kejizhongyi avenue | |
ip43.163.100.238 | CC=SG ASN=ASNone | |
ip47.80.64.106 | CC=US ASN=ASNone | |
ip47.80.70.114 | CC=US ASN=ASNone | |
ip47.80.79.203 | CC=US ASN=ASNone | |
ip8.212.128.102 | CC=SG ASN=AS45102 alibaba (us) technology co. ltd. | |
ip8.220.130.133 | CC=SG ASN=ASNone |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://154.91.90.0 | — | |
urlhttp://38.162.114.0 | — | |
urlhttp://43.133.0.0 | — | |
urlhttp://43.134.0.0 | — | |
urlhttp://43.153.0.0 | — | |
urlhttp://43.160.192.0 | — | |
urlhttp://43.162.0.0 | — | |
urlhttp://45.203.220.0 | — | |
urlhttp://47.80.0.0 | — |
Threat ID: 69f876a6cbff5d861004bd29
Added to database: 5/4/2026, 10:36:22 AM
Last enriched: 5/4/2026, 10:51:21 AM
Last updated: 6/18/2026, 6:47:11 PM
Views: 138
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.