A new and advanced smishing kit, known as Panda Shop, has recently surfaced from China, enabling cybercriminals to steal sensitive financial information, including Google Pay, Apple Pay, and credit card details. This development marks a significant evolution in smishing tactics, combining sophisticated social engineering techniques with modern messaging platforms to deceive victims.
Advanced Social Engineering Tactics
Panda Shop employs highly refined social engineering strategies by impersonating reputable organizations such as the United States Postal Service (USPS), DHL, and major banking institutions. The kit generates phishing pages that closely mimic the legitimate websites of these organizations, making them nearly indistinguishable to users accessing them via mobile devices. This level of authenticity increases the likelihood of victims divulging their personal and financial information.
Massive Scale of Operations
Researchers from Resecurity identified the Panda Shop kit on March 22, 2025. They observed that the operators behind this kit have the capability to dispatch up to 2 million smishing messages daily. This scale of operation suggests that Chinese cybercriminals could potentially target up to 60 million individuals each month, which is equivalent to reaching every person in the United States twice per year.
Connections to Previous Cybercriminal Groups
The Panda Shop operation appears to be linked to, or possibly a rebranding of, the previously identified Smishing Triad group. Analysts from Resecurity noted that the kit’s structure and scripting scenarios closely resemble those used by the Smishing Triad, albeit with specific enhancements and newly supported templates. The operators have expressed a lack of concern regarding law enforcement, explicitly stating they have no fear of FBI and consider themselves beyond reach due to their location in China.
Technical Operations and Evasion Techniques
What distinguishes Panda Shop from earlier smishing kits is its sophisticated use of modern messaging platforms. Instead of relying solely on traditional SMS, the kit primarily utilizes Google Rich Communication Services (RCS) and Apple iMessage for message delivery. These internet-based communication platforms offer cybercriminals enhanced tools for crafting convincing attacks, better engagement features, and more advanced methods of deception compared to traditional SMS-based approaches.
The kit also employs advanced detection evasion techniques by exploiting legitimate IP reputation services. Resecurity identified that the operators use an API key from IP Registry Co. to verify if a potential victim is legitimate and not a security researcher or bot. This tactic helps the attackers avoid detection by cybersecurity researchers and prevents flagging by anti-phishing solutions.
When a victim provides the requested personal information and credit card data, it is transmitted directly to the cybercriminals. The kit also supports One-Time Password (OTP) collection capabilities similar to the previously documented EvilProxy phishing platform. This feature allows attackers to establish live sessions with victims, effectively bypassing multi-factor authentication systems.
Indicators of Chinese Origin
Analysis of exposed configuration files revealed a Shanghai time zone setting and references to NACOS, a Chinese service management platform developed by Alibaba. These findings confirm the Chinese origin of the threat actors behind Panda Shop. Additionally, the domain associated with the kit was registered through Beijing Lanhai Jiye Technology Co., Ltd., a company previously accused by the Internet Corporation for Assigned Names and Numbers (ICANN) of breaching registrar accreditation agreements due to severe violations.
Implications and Recommendations
The emergence of Panda Shop underscores the evolving nature of cyber threats and the increasing sophistication of smishing attacks. Individuals and organizations must remain vigilant and adopt proactive measures to protect against such threats.
Recommendations for Individuals:
1. Be Skeptical of Unsolicited Messages: Exercise caution when receiving unexpected messages, especially those requesting personal or financial information.
2. Verify Sender Authenticity: Contact the organization directly using official contact information to confirm the legitimacy of any request.
3. Avoid Clicking on Suspicious Links: Refrain from clicking on links in unsolicited messages. Instead, navigate to the organization’s official website through a web browser.
4. Enable Multi-Factor Authentication (MFA): Implement MFA on all accounts to add an extra layer of security.
5. Keep Software Updated: Regularly update operating systems and applications to patch known vulnerabilities.
Recommendations for Organizations:
1. Employee Training: Conduct regular training sessions to educate employees about the latest phishing tactics and how to recognize them.
2. Implement Email Filtering: Use advanced email filtering solutions to detect and block phishing attempts.
3. Monitor Network Traffic: Continuously monitor network traffic for unusual activities that may indicate a phishing attack.
4. Develop Incident Response Plans: Establish and regularly update incident response plans to address potential phishing attacks promptly.
5. Collaborate with Cybersecurity Firms: Engage with cybersecurity firms to stay informed about emerging threats and implement recommended security measures.
By adopting these measures, individuals and organizations can enhance their defenses against sophisticated smishing attacks like those facilitated by the Panda Shop kit.
