Threat hunters have exposed a novel campaign that makes use of search engine optimization (SEO) poisoning techniques to target employee mobile devices and facilitate payroll fraud.
The activity, first detected by ReliaQuest in May 2025 targeting an unnamed customer in the manufacturing sector, is characterized by the use of fake login pages to access the employee payroll portal and redirect paychecks into accounts under the threat actor’s control.
“The attacker’s infrastructure used compromised home office routers and mobile networks to mask their traffic, dodging detection and slipping past traditional security measures,” the cybersecurity company said in an analysis published last week.
“The adversary specifically targeted employee mobile devices with a fake website impersonating the organization’s login page. Armed with stolen credentials, the adversary gained access to the organization’s payroll portal, changed direct deposit information, and redirected employees’ paychecks into their own accounts.”
While the attacks have not been attributed to a specific hacking group, ReliaQuest said it’s part of a broader, ongoing campaign owing to two similar incidents it investigated in late 2024.
It all starts when an employee searches for their company’s payroll portal on search engines like Google, with deceptive lookalike websites surfacing to the top of the results using sponsored links. Those who end up clicking on the bogus links are led to a WordPress site that redirects to a phishing page mimicking a Microsoft login portal when visited from a mobile device.
The credentials entered on the fake landing page are subsequently exfiltrated to an attacker-controlled website, while also establishing a two-way WebSocket connection in order to alert the threat actor of stolen passwords using a push notifications API powered by Pusher.
This gives attackers an opportunity to reuse the credentials as soon as possible before they are changed and gain unauthorized access to the payroll system.
On top of that, the targeting of employee mobile devices offers twofold advantages in that they lack enterprise-grade security measures typically available in desktop computers and they connect outside of the corporate network, effectively reducing visibility and hampering investigation efforts.
“By targeting unprotected mobile devices that lack security solutions and logging, this tactic not only evades detection but also disrupts efforts to analyze the phishing website,” ReliaQuest said. “This prevents security teams from scanning the site and adding it to indicators of compromise (IOC) threat feeds, further complicating mitigation efforts.”
In a further attempt to sidestep detection, the malicious login attempts have been found to originate from residential IP addresses associated with home office routers, including those from brands like ASUS and Pakedge.
This indicates that the threat actors are exploiting weaknesses like security flaws, default credentials, or other misconfigurations often plaguing such network devices to launch brute-force attacks. Compromised routers are then infected with malware that enlists them into proxy botnets, which are eventually rented out to cybercriminals.
“When attackers use proxy networks, especially ones tied to residential or mobile IP addresses, they become much harder for organizations to detect and investigate,” ReliaQuest said. “Unlike VPNs, which are often flagged because their IP addresses have been abused before, residential or mobile IP addresses let attackers fly under the radar and avoid being classified as malicious.”
“What’s more, proxy networks allow attackers to make their traffic look like it originates from the same geographical location as the target organization, bypassing security measures designed to flag logins from unusual or suspicious locations.”
The disclosure comes as Hunt.io detailed a phishing campaign that employs a fake Adobe Shared File service web page to steal Microsoft Outlook login credentials under the pretext of allowing access to files purportedly shared by a contact. The pages, per the company, are developed using the W3LL phishing kit.
It also coincides with the discovery of a new phishing kit codenamed CoGUI that’s being used to actively target Japanese organizations by impersonating well-known consumer and finance brands such as Amazon, PayPay, MyJCB, Apple, Orico, and Rakuten. As many as 580 million emails have been sent between January and April 2025 as part of campaigns using the kit.
“CoGUI is a sophisticated kit that employs advanced evasion techniques, including geofencing, headers fencing, and fingerprinting to avoid detection from automated browsing systems and sandboxes,” enterprise security firm Proofpoint said in an analysis released this month. “The objective of the campaigns is to steal usernames, passwords, and payment data.”
The phishing emails observed in the attacks include links that lead to credential phishing websites. That said, it’s notable that CoGUI campaigns do not include capabilities to collect multi-factor authentication (MFA) codes.
CoGUI is said to have been put to use since at least October 2024, and is believed to share some similarities with another well-known phishing toolkit codenamed Darcula – suggesting that the former could be part of the same Chinese PhaaS ecosystem dubbed Smishing Triad that also includes Lucid and Lighthouse.
That said, one crucial aspect that separates Darcula from CoGUI is that the former is focused more on mobile and smishing, and aims to steal credit card details.
“Darcula is becoming more accessible, both in terms of cost and availability, so it could pose a significant threat in the future,” PRODAFT told The Hacker News in a statement. “On the other hand, Lucid continues to stay under the radar. It remains challenging to identify phishing kits just by looking at SMS messages or URL patterns, as they often use common delivery services.”
Another new customizable smishing kit that has emerged out of the Chinese cybercrime landscape is Panda Shop, which uses a network of Telegram channels and interactive bots to automate service delivery. The phishing pages are designed to mimic popular brands and government services to steal personal information. Intercepted credit card data is sent to underground carding shops and sold to other cybercriminals.
“Notably, the Chinese cybercriminal syndicates involved in smishing are brazen because they feel untouchable,” Resecurity said. “They have emphasized in their communications that they do not care about U.S. law enforcement agencies. Residing in China, they enjoy complete freedom of action and engage in many illegal activities.”
Resecurity, which identified Panda Shop in March 2025, said the threat actor operates a crime-as-a-service model similar to that of Smishing Triad, offering customers the ability to distribute smishing messages via Apple iMessage and Android RCS using compromised Apple and Gmail accounts purchased in bulk.
It’s believed that Panda Shop includes Smishing Triad members based on the similarities in the phishing kits used. A plurality of threat actors have also been observed leveraging the smishing kit for Google Wallet and Apple Pay fraud.
“The actors behind smishing campaigns are tightly connected with those involved in merchant fraud and money laundering activity,” Resecurity said. “Smishing is one of the main catalysts behind carding activities, providing cybercriminals with substantial volumes of compromised data collected from victims.”
