UPDATES
threat
UPDATES
GLOBAL
Group-IB researchers have uncovered a sophisticated, largescale smishing and phishing campaign that has been active since the second half of 2025, using Latin America as its primary operational theatre before expanding globally.
According to the researchers, the campaign has targeted victims across 72 countries spanning the Middle East, Latin America, Europe, Asia- Pacific and North America, while impersonating more than 267 brands across the telecommunications, financial services and other sectors.
The operation is designed to steal sensitive personal information, including full payment card details and personally identifiable information( PII), through highly convincing phishing websites delivered via SMS and other social engineering techniques.
One of the campaign’ s most notable characteristics is its sophisticated anti-analysis architecture. Rather than immediately displaying malicious content, the phishing sites first present visitors with fake Cloudflare error pages, including the familiar“ Error 524” timeout message. The malicious content is only served to victims who meet specific geofencing and mobile device criteria, making the infrastructure significantly more difficult for researchers and automated security tools to analyse.
GLOBAL
Security researchers at Infoblox Threat Intel have uncovered a large-scale cybercriminal ecosystem powered by a Chinese application framework that has enabled fraudsters to rapidly deploy hundreds of thousands of scam websites worldwide.
The discovery follows the collapse of RainbowEx, a fraudulent cryptocurrency investment platform that made international headlines in 2024 after thousands of residents in the Argentine town of San Pedro lost money. According to Infoblox, RainbowEx was not an isolated operation but part of a much larger and highly repeatable scam model.
At the centre of the activity is DCloud Uni-App( DCloud), a crossplatform application development framework that researchers identified as the technical foundation for at least 236,493 unique second-level domains associated with malicious infrastructure. The framework has been used to build and operate a wide range of fraudulent platforms, including fake cryptocurrency exchanges similar to RainbowEx, multilingual pig-butchering scams, WhatsApp phishing campaigns, fake online gambling sites, brand impersonation portals and cryptocurrency wallet drainers.
WWW. INTELLIGENTCISO. COM / MIDDLE-EAST 35