Silent Smishing: The Hidden Abuse of Cellular Router APIs

Oct. 1, 2025, 9:33 a.m.

Description

This report analyzes a smishing campaign exploiting vulnerabilities in Milesight Industrial Cellular Routers to send malicious SMS messages. The attackers targeted primarily Belgian users by impersonating government services like CSAM and eBox. Over 18,000 vulnerable routers were identified globally, with at least 572 potentially exploitable. The campaign has been active since February 2022, affecting multiple European countries. The attackers used NameSilo for domain registration and Podaon SIA for hosting. The phishing infrastructure was linked to a threat actor cluster known as 'GroozaV2'. The report highlights the ongoing threat of smishing and the need for increased vigilance against unsolicited messages.

External References

https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/
https://otx.alienvault.com/pulse/68dcdfa7bc8fcdf1e2eae202
Tags
phishing
vulnerability
smishing
api exploitation
2025-10-01
belgium
csam
cellular routers
ebox
CVE-2023-43261

Date

  • Created: Oct. 1, 2025, 8 a.m.
  • Published: Oct. 1, 2025, 8 a.m.
  • Modified: Oct. 1, 2025, 9:33 a.m.

Indicators

  • 63dad92479c34dde8849303d879ede3b6dc9cd87d07916c1a4f188eaea92d72b
  • 62e9e09879ad08e04c4809475407f30d3ba22da53231f11aa1673c99c1225e94
  • 212.162.155.45
  • 212.162.155.38
  • 212.162.155.202
  • 185.219.81.173
  • 103.246.144.60
  • www.stassa.pt
  • www.post-israel-online-service-8327328982392.opensuc.com
  • www.netflix-online-service-n26382932.duckdns.org
  • www.mail.klentbeposting.duckdns.org
  • www.autentifuturo.pt
  • www.aeoj.org
  • www.afpsat.pt
  • https://yuhz.confeciona.com/
  • https://www.stassa.pt/wp-mail/
  • https://www.afpsat.pt/cbb/index.php
  • https://www.afpsat.pt/cbb/
  • https://www.aeoj.org/mail/
  • https://weaving.pt/data/
  • https://vortica.net/mail/
  • https://vmaxmagazin.hu/wp-mail/
  • https://valeriatari.com/mytv/
  • https://urls.fr/rUbDjo
  • https://urlocalartist.pt/mit/
  • https://thewondersmx.com/mail/
  • https://torvi.pt/Backup/
  • https://sv-weebly-manage.solarflevoland.nl/app/verification.php
  • https://sv-management.solarflevoland.nl/wix/verification.php
  • https://sv-management.olekgs.nl/en/home/verification.php
  • https://sv-management.ogveranda.com/wix/verification.php
  • https://sv-management.jetperformance.nl/wix/verification.php
  • https://sv-management.hospackfarma.nl/wix/verification.php
  • https://sv-management.firstresponder.nl/wix/verification.php
  • https://sv-management.eco-fin-service.it/wix/verification.php
  • https://sv-management.aaltink.com/wix/verification.php
  • https://superluckbet.com/bonus/
  • https://sites-leiria.pt/financas/data/
  • https://sites-leiria.pt/es/
  • https://shf.com.pt/mail/
  • https://service-interbancaire.page.dev
  • https://shaliyah.co.za/backup/
  • https://sercicio.paypl.studiolegaleflm.it/ppl-it/mark.php
  • https://sanremomotors.co.za/wp-mail/
  • https://scvidros.com.br/mail/
  • https://scmalmodovar.pt/mail/
  • https://restaurantefialho.pt/mail/
  • https://raiugarts.com/mail/
  • https://paixaobaptista.pt/data/
  • https://nookbees.com/mail/
  • https://naprakeszingatlan.hu/wp-mail/
  • https://nwminingindaba.co.za/Kunden/
  • https://mr-bitcoin.ch/mail/
  • https://moqvk9zc.dreamwp.com/cr.php
  • https://moqvk9zc.dreamwp.com/lo_gin/
  • https://mikro.pt/kund/
  • https://metodorsame.sinistraperisraele.com/ppl-it/mark.php
  • https://mcaluminios.pt/refresh/
  • https://marcioimoveis.pt/mit/
  • https://marketexpresso.site/admin/
  • https://luis.com.ve/mail/
  • https://lp.washrocks.com/static/auth/en/verification.php
  • https://jnsi.xyz/IT/
  • https://jnsi.xyz
  • https://ilustremotivo.com/data/
  • https://ilustremotivo.com/mail/
  • https://ilkeevingencel.com/app/
  • https://hotm.art/HUDL28128
  • https://guvenisi.com/js/cform/
  • https://grupo-sk.com/mail/
  • https://gfc-angola.com/mail/
  • https://graficateke.com.br/mail/
  • https://gelalentejo.com/mail/
  • https://fixus.co.ao/mail/
  • https://faberkit.pt/Backup/
  • https://edizhoca.com/wp-backup/
  • https://ekademies.com/wp-mail/
  • https://edificiomallorca.com/data/
  • https://ebox.terugbetaling.online/index.html.code=
  • https://ebox.dlogin.info
  • https://ebox.csam-trust.xyz/?code=
  • https://ebox.amltrust.cash/?code=
  • https://dynpyads.com/backup/
  • https://dpd-de.eyo-copter.com/pdpde/verification.php
  • https://dewa-ae.mandegroupeinternational.org/gov/verification.php
  • https://devwrapi.washrocks.com/home/verification.php
  • https://devwrapi.washrocks.com/auth/en/verification.php
  • https://criamoda.com/mail/
  • https://crediadvisor.pt/inicio/
  • https://creativetrendwatcher.be/mail/
  • https://crazybubble.pt/mail/
  • https://crazybubble.pt/data/
  • https://coureladozambujeiro.com/wp-mail/
  • https://chissema.com/backup/
  • https://ccjc.pt/info/
  • https://carloscunhayoga.com/Backup/index.php
  • https://carloscunhayoga.com/Backup/
  • https://canreisgroup.com.tr/backup/
  • https://candperdizes.com/mail/
  • https://bzss.pt/mail/
  • https://bzss.pt/cbb/
  • https://bluesign.pt/mail/
  • https://bluesign.pt/kund/
  • https://blackcargo.pt/Backup/
  • https://awladlktoccyat.ortomanalessia.com/ppl-it/mark.php
  • https://avrasyaproje.com.tr/backup/
  • https://auth-simply.grupositel.com/simply/mark.php
  • https://auth-billing-smp.grupositel.com/simply/mark.php
  • https://ateci.pt/Backup/
  • https://assurancemaladie-renouvellement.info
  • https://api.solarflevoland.nl/system_web/verification.php
  • https://aojdy5ex.dreamwp.com/wp-admin/css/colors/HOooo.php
  • https://alojagora.com/mail/
  • https://alpyateknoloji.com/wp-backup/
  • https://alkodieshop.gr/up//
  • https://alkodieshop.gr/up/
  • https://alkodi.gr/kund/
  • https://alkodi.gr/backup/
  • https://alexismaidana.com.ar/padron/
  • https://airprint.gr/kund/
  • https://acountinteruption.diprimiocostruzioni.it/ppl-it/mark.php
  • https://af-itsolutions.pt/mail/
  • https://aefpceup.pt/mail/
  • https://wheelmedia.hu/wheelmediahu/
  • https://www.autentifuturo.pt/mail/
  • https://outprint.pt/dk/
  • https://afpsat.pt/cbb/
  • https://luiscarmocx.com/Back/
  • yuhz.confeciona.com
  • telianorge.onthewifi.com
  • telianorge.duckdns.org
  • telia-online-service-n382322323.ydns.eu
  • sv-weebly-manage.solarflevoland.nl
  • sv-management.solarflevoland.nl
  • sv-management.ogveranda.com
  • sv-management.olekgs.nl
  • sv-management.jetperformance.nl
  • sv-management.hospackfarma.nl
  • sv-management.firstresponder.nl
  • sv-management.eco-fin-service.it
  • sv-management.aaltink.com
  • spotify-online-s.ydns.eu
  • service-interbancaire.page.dev
  • sercicio.paypl.studiolegaleflm.it
  • qynyuonline-telias-n2689829292.jnsi.xyz
  • postcanada.booking-review-n32789283.duckdns.org
  • online-mobilepey-n2637832h23.beju.info
  • online-telias-n2689829292.jnsi.xyz
  • my.ebox.help
  • moqvk9zc.dreamwp.com
  • metodorsame.sinistraperisraele.com
  • lp.washrocks.com
  • login.csam-terugbetaling.work
  • kundlingpostbe.bounceme.net
  • ebox.terugbetaling.online
  • ebox.e-login.xyz
  • ebox.plus-billing.sbs
  • ebox.dlogin.info
  • ebox.csam-trust.xyz
  • ebox.c-sam.xyz
  • ebox.amltrust.cash
  • dpd-de.eyo-copter.com
  • disney.plus-billings.sbs
  • disney.plus-billing.sbs
  • dewa-ae.mandegroupeinternational.org
  • csam.ebox-login.xyz
  • devwrapi.washrocks.com
  • csam.e-box.help
  • booking-confimraition-28732893.duckdns.org
  • awladlktoccyat.ortomanalessia.com
  • auth-simply.grupositel.com
  • auth-billing-smp.grupositel.com
  • api.solarflevoland.nl
  • aojdy5ex.dreamwp.com
  • acountinteruption.diprimiocostruzioni.it
  • wheelmedia.hu
  • weaving.pt
  • vortica.net
  • vmaxmagazin.hu
  • valeriatari.com
  • urlocalartist.pt
  • torvi.pt
  • thewondersmx.com
  • sites-leiria.pt
  • superluckbet.com
  • shaliyah.co.za
  • scvidros.com.br
  • scmalmodovar.pt
  • sanremomotors.co.za
  • raiugarts.com
  • restaurantefialho.pt
  • paixaobaptista.pt
  • opposition.online
  • outprint.pt
  • nwminingindaba.co.za
  • naprakeszingatlan.hu
  • nookbees.com
  • mr-bitcoin.ch
  • mikro.pt
  • mcaluminios.pt
  • marketexpresso.site
  • luiscarmocx.com
  • marcioimoveis.pt
  • luis.com.ve
  • jnsi.xyz
  • logistique-infosms-laposte.fr
  • ilustremotivo.com
  • ilkeevingencel.com
  • guvenisi.com
  • grupo-sk.com
  • graficateke.com.br
  • gfc-angola.com
  • gelalentejo.com
  • fixus.co.ao
  • faberkit.pt
  • estrk.xyz
  • ekademies.com
  • edizhoca.com
  • edificiomallorca.com
  • dynpyads.com
  • criamoda.com
  • crediadvisor.pt
  • creativetrendwatcher.be
  • crazybubble.pt
  • coureladozambujeiro.com
  • chissema.com
  • ccjc.pt
  • carloscunhayoga.com
  • candperdizes.com
  • canreisgroup.com.tr
  • bzss.pt
  • blackcargo.pt
  • bluesign.pt
  • avrasyaproje.com.tr
  • ateci.pt
  • assurancemaladie-renouvellement.info
  • alpyateknoloji.com
  • alojagora.com
  • alkodieshop.gr
  • alkodi.gr
  • alexismaidana.com.ar
  • airprint.gr
  • afpsat.pt
  • af-itsolutions.pt
  • aefpceup.pt
Download all indicators here!

Attack Patterns

  • Grooza
  • GroozaV2

Additional Informations

  • Telecommunications
  • Government
  • Hungary
  • Sweden
  • Belgium
  • Portugal
  • Norway
  • Italy
  • France

Linked vulnerabilities

CVE-2023-43261

None
Published: