Unmasking the Phoenix System’s Rogue BTS Smishing Empire

While analyzing global smishing operations spanning APAC, LATAM, Europe, and MEA, Group-IB researchers have uncovered a centralized Phishing-as-a-Service (PhaaS) platform known as the “Phoenix System”. This sophisticated administrative panel is more than just a template gallery; it provides threat actors with real-time victim monitoring, geofencing, and live-phishing interventions designed to bypass multi-factor authentication (MFA).

The platform has already targeted more than 70 organizations across the financial, telecommunications, and logistics sectors. Since January 2025, researchers have identified over 2,500 phishing domains associated with this single operation.

The Phoenix System (不死鳥系統) is not a new player but the successor to a legacy platform known as the Mouse System (耗子系統). Side-by-side source code analysis revealed an “identical asset structure,” where the file directories, framework architecture, and core administrative scripts remain largely unchanged from the older version.

By centralizing infrastructure, the “Phoenix System” allows even low-skilled affiliates to launch massive, multi-region campaigns with minimal technical overhead.

While many campaigns still use standard SMS from prepaid numbers, the “Phoenix” operation is moving toward more advanced injection methods. Researchers believe attackers are leveraging fake Base Transceiver Stations (BTS) to bypass carrier-level filters.

As the report explains, “By deploying rogue BTS equipment that broadcasts stronger signals than legitimate towers, attackers can cause nearby devices to connect to their station instead, allowing SMS messages to be injected directly without passing through standard operator routing systems”.

This technique allows messages to appear under branded sender names, making them nearly impossible for users to distinguish from legitimate notifications.

The most dangerous feature of the Phoenix System is its real-time management dashboard. This console tracks granular victim telemetry—including device type and IP addresses—and alerts the operator the exact second a victim lands on an OTP (One-Time Password) entry page.

This enables “live-phishing” interventions:

• Manual Prompts: The attacker can manually trigger a request for a PIN or OTP.
• Custom Error Messages: Forcing the victim to re-enter credentials to ensure the data is accurate.
• MFA Bypassing: By intercepting the code in real-time, the actor ensures the “immediate validation of stolen financial assets”.

The distribution of these kits is handled through a massive Telegram network. One identified group chat boasts nearly 13,000 members, offering 24/7 customer support and “onboarding guidance” for new fraudsters.

The Phoenix System operates on a subscription model, with annual access costing approximately $2,000. For this price, affiliates get access to localized templates for regions across Asia, Europe, and Africa.