Silent Smishing: Abuse of Cellular Router APIs in Phishing Campaigns

Smishing, or SMS-based phishing, continues to evolve as attackers discover new ways to exploit infrastructure for large-scale fraud. 

Recent research by Sekoia.io’s Threat Detection & Research (TDR) team uncovered a troubling tactic: adversaries leveraging vulnerabilities in cellular routers to send malicious text messages containing phishing URLs.  

Honeypots catch smishing in action

On July 22, 2025, honeypots operated by Sekoia.io captured suspicious network traces linked to Milesight Industrial Cellular Routers. Analysis revealed that the devices’ APIs were being abused to distribute phishing messages, particularly targeting Belgian citizens. 

The messages impersonated official services such as CSAM and eBox, both widely used for digital communications in Belgium. Evidence suggests these attacks have been active since at least February 2022.

Using Shodan, researchers identified more than 18,000 of these routers exposed online, with at least 572 vulnerable to unauthenticated API abuse. This exposure allowed attackers to both send and retrieve SMS content without authorization, turning compromised routers into nodes for smishing campaigns.

Inside the router exploit

Logs show POST requests to the /cgi endpoint, formatted in JSON, consistent with SMS-sending commands. Messages were written in Dutch or French and carried Belgian dialing codes (+32), reinforcing their regional focus. While the campaigns centered on Belgium, France was also affected with lures tied to banking and postal services.

Further investigation revealed the use of stolen or weak credentials, as well as possible exploitation of CVE-2023-43261. 

This flaw exposed encrypted administrator passwords that could be decrypted via hardcoded AES keys found in router code. Attackers likely combined credential abuse with misconfigurations to maximize reach.

The backbone of smishing ops

The attacker infrastructure relied heavily on domains registered through NameSilo and hosted with Podaon, SIA, a Lithuanian provider. Phishing pages impersonating CSAM and eBox included device-detection scripts to filter out non-mobile visitors, suggesting a deliberate effort to evade automated analysis.

Beyond Belgium, large-scale smishing campaigns were recorded in Sweden, Italy, and France, often impersonating telecom providers or financial services. 

One active cluster, tied to the alias “Grooza,” used obfuscated JavaScript and Telegram bots to manage phishing operations. This cluster impersonated organizations such as Telia, SwissPass, and Ameli, demonstrating both regional targeting and global reach.

Worldwide Router Risk

Nearly 19,000 Milesight routers were identified as publicly accessible, with significant concentrations in Australia and Europe. Of the subset analyzed, over 570 allowed unauthenticated access to SMS features. 

Many devices ran outdated firmware, leaving them vulnerable to known flaws. Europe’s high density of exposed routers likely explains the concentration of victims there, since European SIMs facilitate reliable message delivery within the region.

Smishing at Scale

The abuse of cellular routers underscores how attackers adapt traditional phishing techniques with simple infrastructure hacks. By hijacking legitimate network equipment, adversaries can distribute high volumes of SMS messages while bypassing many detection systems. 

Unlike email spam, SMS-based campaigns often enjoy higher click-through rates, especially when impersonating trusted government or telecom services.

This technique also complicates mitigation. Because the traffic originates from legitimate routers with regional SIMs, it is less likely to be flagged as malicious. The decentralization of smishing infrastructure across thousands of devices creates resilience for attackers and raises the bar for defenders.

Closing the Gaps

Mitigating this threat requires action at multiple levels:

• Firmware management: Keep routers updated with the latest patches and secure configurations.
• Credential hygiene: Enforce strong, unique admin passwords and eliminate defaults or hardcoded keys.
• Access control: Disable or restrict router APIs to trusted networks only.
• Monitoring: Regularly review SMS logs and network traffic for anomalies.
• Awareness training: Teach users to spot phishing texts, especially urgent or shortened links.

Smishing campaigns powered by exploited cellular routers illustrate the persistence of old techniques and the creativity of attackers in weaponizing overlooked infrastructure. By hijacking APIs meant for legitimate messaging, adversaries bypass traditional email filters and scale their operations globally.

The lesson is clear: even simple devices at the edge of enterprise or industrial networks can become conduits for large-scale fraud if left unprotected.