In a sophisticated resurgence of smishing campaigns, cybercriminals have begun embedding trusted brand names into deceptive URLs and group messaging threads to lure unsuspecting users into downloading malware.
By inserting a familiar company name before the “@” symbol in links, attackers exploit users’ trust in established entities such as FedEx and Microsoft.
Coupled with deceptively aged hostnames and orchestrated group texts, this tactic has led to a surge in successful infections over the past month.
Attackers craft URLs that superficially appear legitimate by placing the name of a well-known brand immediately before an “@” symbol, followed by a non-affiliated domain.
In reality, the true domain—“soogb[.]xin”—hosts malicious payloads. Victims who click these links are redirected to download trojanized apps or installers that secretly install backdoors and credential harvesters.
Several recent group text scams have addressed this technique by sending simultaneous messages to multiple recipients under the guise of a widespread shipping delay or urgent service update.
Recipients see their own and others’ phone numbers listed in the group thread, conferring a false sense of legitimacy.
One such thread purported to be “FedEx® Ground Reschedule Your Shipment Delivery,” urging users to click a tracking link and confirm rescheduled delivery dates. Instead, the link triggered the download of a remote access trojan.
Beyond URL manipulation, threat actors are registering domain names months in advance to circumvent reputation-based defenses.
These aged hostnames, sometimes registered six to eight months prior to their first use, appear more credible to spam filters and endpoint protection platforms.
By staging their infrastructure, operators ensure that by the time they launch the campaign, the domains have matured enough to avoid automated takedown or flagging.
In multiple instances, attackers have used RCS (Rich Communication Services) protocol features to enhance message presentation on Android devices, displaying company logos and sanitized user interfaces mimicking official apps.
SMS sender IDs are spoofed to reflect genuine corporate numbers, further diminishing suspicion among recipients.
Once users follow the deceptive URL, they are prompted to download an Android APK or Windows installer masquerading as a shipping confirmation app or customer support utility.
Behind the scenes, these installers deploy keyloggers and remote access tools such as Orcus RAT and Cerberus Android malware, capable of exfiltrating SMS messages, authentication tokens, and contact lists.
Early analysis indicates that some payloads also include modules for intercepting two-factor authentication codes and propagating through victims’ contact lists via automatic group message invitations.
To defend against this emerging threat, organizations and individuals should:
Adopt mobile security solutions that perform deep URL analysis, including detection of “@”-style obfuscation in links.
Implement network filtering rules to block access to newly created or infrequently used domains.
Educate users about the subtle indicators of malicious URLs, emphasizing that legitimate messages will never redirect through non-brand domains.
As this campaign evolves, security teams are urged to monitor for indicators of compromise related to these cleverly formatted links and group message patterns.
Blocking suspicious hostnames at the DNS level and reinforcing SMS gateway filtering with threat intelligence feeds can significantly reduce exposure. Collaboration with mobile carriers to authenticate sender IDs and rapid takedown of malicious infrastructure will be critical to stemming the tide of these deceptive smishing attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Hot this week
GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.
Company
Trending
Categories
Copyright @ 2016 – 2025 GBHackers On Security – All Rights Reserved