Hackers Hijack Industrial Cellular Routers to Launch Widespread Smishing Campaigns Across Europe

A new report from Sekoia.io’s Threat Detection & Research (TDR) team reveals how attackers are weaponizing industrial cellular routers to launch widespread smishing campaigns across Europe, with Belgium emerging as a primary target.

On July 22, 2025, Sekoia.io honeypots captured “suspicious network traces … revealing that a cellular router’s API was exploited to send malicious SMS messages containing phishing URLs.” These attacks leverage SMS as a phishing delivery vector, commonly referred to as smishing.

The TDR team confirmed that the threat actors have been exploiting this vector since at least February 2022, using hijacked routers to impersonate legitimate institutions and distribute fraudulent links. “This form of attack leverages text messaging to deceive individuals into divulging sensitive information, such as banking credentials, often by impersonating trusted institutions,” the report warns.

Belgium appears to be the most consistently targeted nation. The report notes:

• “Phishing URLs typosquat well-known Belgian government platforms, namely CSAM and eBox.”
• Messages were written in both Dutch and French, reflecting Belgium’s linguistic landscape.
• Recent campaigns impersonated CSAM, Belgium’s official authentication portal, and eBox, its centralized digital mailbox.

One July 2025 lure urged victims to urgently submit their tax declaration:

“Uw jaarlijkse belastingaangifte staat klaar voor verwerking. Zorg ervoor dat u deze voor de deadline indient. hxxps://ebox.csam-trust[.]xyz.”

The attackers’ method exploits a systemic weakness. According to the report, “a Shodan search revealed the presence of over 19,000 Milesight Industrial Cellular Routers devices … [with] 572 of these routers allow[ing] unauthenticated access to their inbox/outbox APIs.” Many of these devices are running outdated firmware, amplifying their exposure.

These routers were not compromised for persistence or deeper intrusions. Instead, attackers used them solely to send phishing SMS, creating a decentralized infrastructure that complicates detection and takedown efforts.

While Belgium bore the brunt, France, Sweden, and Italy also suffered large-scale campaigns.

• In France, lures impersonated Ameli (national health insurance), La Poste, and Credit Agricole.
• Sweden and Italy saw smishing waves impersonating Telia and banking/payment services.
• Other countries, including Singapore, Norway, Portugal, and Hungary, were targeted with mass campaigns using shared infrastructure.

The attacker infrastructure relied heavily on domains registered through NameSilo and hosted on Podaon SIA, a Lithuanian VPS provider. As Sekoia.io explains, “Like the IP address observed in the honeypot logs … these domains are associated with IP addresses belonging to PODAON-PL-1 (AS210895).”

Technical analysis revealed additional artifacts pointing to the so-called “Grooza cluster”, a phishing operation linked through obfuscated scripts, Telegram bot logging, and shared infrastructure. The report highlights how “some phishing pages linked to this cluster have been observed integrating Telegram as a channel to log visitor connections.”

Sekoia.io concludes that smishing remains a profitable, low-barrier attack method. The campaigns demonstrate how attackers can weaponize simple infrastructure to scale their operations globally.

“This campaign is notable in that it demonstrates how impactful smishing operations can be executed using simple, accessible infrastructure. Given the strategic utility of such equipment, it is highly likely that similar devices are already being exploited in ongoing or future smishing campaigns,” the TDR team warns.

Related Posts:

• International Operation Dismantles Phone Phishing Ring Targeting Vulnerable Individuals Across Europe
• Panda Shop Smishing Syndicate: China-Backed Cybercrime-as-a-Service Hits Millions Globally
• The Billion-Dollar Smishing Empire: How Chinese Syndicates Are Hacking Apple & Google Wallets
• Smishing Triad Targets Pakistan with Large-Scale Banking Scam
• Smishing Triad: eCrime Group Targets 121+ Countries with Advanced Smishing