Threat Hunter has published a new campaign that utilizes Search Engine Optimization (SEO) addiction technology to target employee mobile devices and promote pay scams.
The activity, first detected by ReliaQuest in May 2025, targets customers that are unnamed in the manufacturing sector, but features fake login pages to access employee pay portals and redirect pay to accounts under threat actor control.
“Attacker infrastructure uses compromised home office routers and mobile networks to cover up traffic, avoid detection and slip past traditional security measures,” the cybersecurity company said in an analysis published last week.
“The adversaries target employee mobile devices with fake websites that are pretending to be the organization’s login page. Armed with stolen credentials, the enemy gained access to the organization’s pay portal, changed direct deposit information, and redirected employee salaries to their own accounts.”
The attacks were not attributed to any particular hacking group, but ReliaQuest said it was part of a wider, continuing campaign due to two similar incidents it investigated in late 2024.
This all starts when employees search the company’s pay portal on a search engine like Google. Those who end up clicking on fake links will be led to a WordPress site that redirects to a phishing page that mimics the Microsoft login portal when they visit from a mobile device.
The credentials entered into the fake landing page are then extracted into an attacker-controlled website and establish a two-way websocket connection to alert stolen password threat actors using the push notification APIs mounted by the pusher.
This gives the attacker the opportunity to reuse their credentials as soon as possible before they change and gain unauthorized access to the payroll system.
Additionally, targeting employee mobile devices offers two advantages in that it lacks enterprise-grade security measures commonly available on desktop computers, connecting outside the corporate network, effectively reducing visibility and hindering research efforts.
“By targeting unsecured mobile devices lacking security solutions and logging, this tactic not only avoids detection, but also disrupts efforts to analyse phishing websites,” ReliaQuest said. “This further complicates mitigation efforts, preventing security teams from scanning their sites and adding them to their compromise (IOC) threat feed metrics.”
In further evasion attempts, malicious login attempts have been found to arise from the home IP address associated with home office routers, including brands such as Asus and Pakedge.
This indicates that threat actors are taking advantage of security flaws, default credentials, or weaknesses such as causing brute force attacks to plague such network devices. The compromised router infects the malware and connects to a proxy botnet that will eventually be rented by cybercriminals.
“When attackers use proxy networks, particularly networks tied to residential or mobile IP addresses, it becomes much more difficult for an organization to detect and investigate,” says ReliaQuest. “Unlike VPNs, IP addresses are often flagged because of previously abused IP addresses. A residential or mobile IP address will allow attackers to fly under the radar and not be classified as malicious.”
“In addition, proxy networks allow attackers to make traffic appear to come from the same geographical location as the target organization, bypassing security measures designed to flag logins from unusual or suspicious locations.”
The disclosure stole the qualification under the pretext of Hunt.io employing a fake Adobe Shared Files Service webpage to detail the phishing campaign, stealing Microsoft’s Outlook login credentials and allowing contacts to access files that are allegedly shared. The company-specific pages are developed using the W3LL phishing kit.
It also coincides with the discovery of a new phishing kit codenamed Cogui, which is used to proactively target Japanese organizations by impersonating well-known consumer and financial brands such as Amazon, PayPay, MyJCB, Apple, Orico, Rakuten, and more. Up to 580 million emails have been sent between January and April 2025 as part of the kit-based campaign.
“Cogui is a sophisticated kit that employs advanced evasive techniques such as geofencing, header fencing and fingerprinting to avoid detection from automated browsing systems and sandboxes,” Enterprise Security Firm Proofpoint said in an analysis released this month. “The purpose of the campaign is to steal usernames, passwords and payment data.”
The phishing emails observed in the attack contain links that lead to the phishing website for your credentials. That said, it is worth noting that the Cogui campaign does not include the ability to collect multifactorial authentication (MFA) codes.
Cogui is said to have been in use since at least October 2024 and is believed to share similarities with the codename Darcula of another well-known phishing toolkit.
That said, one important aspect of separating Cogui from Darcula is that the former focuses on mobile and smishing, aiming to steal credit card details.
“Darcula is more accessible, both in terms of cost and availability, and could pose a major threat in the future,” Productuate told HackerNews in a statement. “On the other hand, Lucid continues to stay under the radar. It remains difficult to identify phishing kits, simply looking at SMS messages and URL patterns, using common delivery services.”
Another new customizable smishing kit emerges from China’s cybercrime landscape, a panda shop that uses a network of telegram channels and interactive bots to automate service delivery. Phishing pages are designed to mimic popular brands and government services to steal personal information. Intercepted credit card data is sent to underground carding shops and sold to other cybercriminals.
“The Chinese cybercrime syndicates involved in Smeething are especially brave because they feel uncontrollable,” the response said. “They emphasize that in their communications they don’t care about US law enforcement. As they live in China, they enjoy full freedom of action and engage in many illegal activities.”
The response to identifying Panda Shops in March 2025 shows that threat actors operate a crime model similar to the Smithing Triad crime model, providing customers with the ability to distribute Smithing Messages via Apple Imessage and Android RC using compromised Apple and Gmail accounts purchased in bulk.
The Panda Shop is believed to include Smithing Triad members based on the similarity of the fishing kits used. It has been observed that several threat actors are also using Google Wallet and Apple Pay scam smishing kits.
“The actors behind the Smithing Campaign are closely linked to actors involved in merchant fraud and money laundering activities,” Resecurity said. “Smishing is one of the main catalysts behind carding activities and provides cybercriminals with a substantial amount of data collected from victims.”
