The monitoring and evaluation of vulnerability exploitations are among the many main obligations of Sekoia.io’s Menace Detection & Analysis (TDR) group.
Utilizing honeypots, the group screens visitors focusing on edge gadgets and internet-facing purposes.
On 22 July 2025, suspicious community traces appeared in our honeypots, reveals {that a} mobile router’s API was exploited to ship smishing campaigns by way of malicious SMS messages containing phishing URLs.
Evaluation signifies a targeted focusing on of Belgium, with assaults impersonating companies resembling CSAM and eBox and using the +32 nation code.
Logs from Milesight Industrial Mobile Router honeypots revealed POST requests to the /cgi endpoint with JSON payloads explicitly used to ship SMS messages.
Traces started in late June 2025—shortly after these honeypots have been deployed—and originated completely from IP tackle 212.162.155[.]38 inside AS Podaon SIA.
Extracted messages have been written in Dutch or French, focused Belgian numbers (+32), and used typosquatted domains of official Belgian companies.
No proof of backdoors or different gadget exploitation was noticed, indicating an operation solely geared toward SMS-based phishing.
Vulnerability Overview
The logs confirmed use of a legitimate authentication cookie, although the password couldn’t be decrypted utilizing AES keys from CVE-2023-43261 exploitation strategies.
A Medium publish by Biptin Jitiya detailed that a number of Milesight routers uncovered encrypted admin credentials and delicate logs by way of HTTP.
Nonetheless, our exams uncovered that many routers permit unauthenticated entry to SMS options, enabling attackers to retrieve inbox/outbox knowledge or ship messages with out authentication.
Unauthenticated POST requests to /cgi utilizing parameters like query_outbox or query_inbox produce JSON objects with timestamps, message content material, recipient numbers, and standing indicators (success or failed).
A excessive quantity of “failed” statuses suggests attackers first take a look at routers towards cellphone numbers they management earlier than launching mass campaigns—an operational fingerprint which will support in clustering and detection.
Scope of Susceptible Belongings
A Shodan search recognized over 19,000 Milesight Industrial Mobile Routers uncovered on the general public web—practically half positioned in Australia, with France and Turkey additionally closely represented.
Of 6,643 checked gadgets, 572 permitted unauthenticated API entry, many working outdated firmware (32.2.x.x, 32.3.x.x).
Europe accounts for practically half of weak routers, facilitating dependable SMS supply to European cellphone numbers and explaining the disproportionate focusing on of that area.
Smishing campaigns exploiting this vulnerability date again to February 2022. Collected SMS samples clustered by marketing campaign reveal simultaneous mass messaging to 42,044 Swedish and 31,353 Italian numbers, whereas Belgian and French targets confronted repeated, distinct campaigns.
Belgian messages impersonated CSAM and eBox, providing pretend notifications requiring instant consideration by way of malicious hyperlinks.
French campaigns mimicked companies resembling Ameli, La Poste, GLS, and Crédit Agricole, utilizing assorted pretexts from well being card renewals to banking safety alerts.
Phishing Infrastructure
The attacker’s infrastructure depends on domains registered by means of NameSilo and internet hosting by Podaon SIA. In Belgium-focused campaigns, domains like csam.ebox-login[.]xyz and ebox.csam-trust[.]xyz resolved to Podaon IPs and stay energetic.
![ebox.csam-trust[.]xyz url scan analysis.](https://gbhackers.com/wp-content/uploads/2025/09/image5-1024x461-1.png)
Phishing pages test for cell environments by way of a JavaScript “detect_device.js” to evade desktop sandboxes.
Broader campaigns used the jnsi[.]xyz area cluster underneath Russian AS211860, impersonating companies from Netflix to Telia, with obfuscated scripts (GroozaV2) hindering evaluation.
This marketing campaign underscores how easy, accessible infrastructure—weak mobile routers—may be weaponized for extremely efficient smishing operations at scale.
By decentralizing SMS distribution throughout a number of nations, attackers evade detection and maintain worthwhile phishing campaigns.
Continued vigilance is crucial: customers should scrutinize unsolicited messages, particularly these with shortened URLs, pressing language, or grammatical errors. Consciousness and skepticism stay the primary line of protection towards evolving smishing threats.
Observe us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most well-liked Supply in Google.
