Pierluigi Paganini May 06, 2025

Resecurity found a new smishing kit called ‘Panda Shop,’ mimicking Smishing Triad tactics with improved features and new templates.

Resecurity (USA) was the first company to identify the Smishing Triad, a group of Chinese cybercriminals targeting consumers across the globe. In August 2023, our team was able to identify their activity and locate the smishing kit they were using, successfully exploiting a vulnerability, which exposed the threat actors and their infrastructure. Since then, the group has become stealthier and upgraded its tooling, tactics, and procedures (TTPs). A group of this scale is not limited to just one threat actor; it has numerous associates with different roles, blurring its public profile. Such groups leverage a “Crime-as-a-Service” model, enabling other cybercriminals to use their smishing kit and scale operations targeting consumers in different countries.

Resecurity identified a new smishing kit known as ‘Panda Shop,’ based on the same principles used by the Smishing Triad. The kit’s structure and scripting scenarios analyzed by Resecurity mimic the same product but include specific improvements and new supported templates. We identified multiple actors leveraging the Panda Shop smishing kit for Google Wallet and Apple Pay, harvesting traditional credit card and PII data, and intercepting transactions.

The investigators noted that, besides Google RCS and Apple iMessage being used as the primary smishing delivery methods, the group also uses SMS gateways, specialized equipment for network operators. Telemarketing companies also use similar devices to send messages to mobile subscribers for legitimate purposes, which appears to be misused by Chinese cybercriminals in combination with other methods.

According to the latest chatter, one identified threat actor can send up to 2,000,000 smishing messages daily. The negative aspect of this is that cybercriminals have everything needed for this, which may mean that the Smishing Triad and similar groups could easily target up to 60,000,000 victims per month, or 720,000,000 per year, enough to target every person in the US at least twice every year.

The scale of global smishing activity generated by Chinese cybercriminals is impressive. The spectrum of the crimes conducted due to smishing ranges from traditional carding and NFC-enabled fraud to money laundering chains, enabling fraudsters to process stolen funds. Based on Resecurity’s engagements with financial institutions globally, this activity generates millions in losses annually.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Panda Shop)