{
	"id": "f0be6c74-355b-4c96-9fbf-5fb281feb804",
	"created_at": "2026-05-05T02:45:42.938058Z",
	"updated_at": "2026-05-05T02:46:36.843266Z",
	"deleted_at": null,
	"sha1_hash": "83666694a30f3ec170ad967676e13e1220bfc704",
	"title": "A “??????t??????a????????????e ??????o????????????” Smishing Campaign that changes behaviour based on User-Agent, and abuses…",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4230393,
	"plain_text": "A “𝙨t𝙧a𝗇𝗀e 𝙛o𝙣𝗍” Smishing Campaign that changes behaviour based\r\non User-Agent, and abuses…\r\nBy Lena\r\nPublished: 2023-12-20 · Archived: 2026-05-05 02:14:40 UTC\r\n8 min read\r\nJan 23, 2023\r\nRecently in Japan, there has been an increase in Smishing attacks that uses a strange font. This got me wondering\r\nwhat was behind the strange font link, and lead me to write this post.\r\nI named this the “StrangeFont” campaign.\r\nPress enter or click to view image in full size\r\nI came across a Smishing message,\r\nお客様が不在の為お荷物を持ち帰りました。こちらにてご確認ください 8t9z[.]𝙪y𝙝𝗂𝖼[.]com?xx\r\nWhich translates to,\r\nAs the customer was absent, the package was brought back. Please confirm here 8t9z[.]𝙪y𝙝𝗂𝖼[.]com?xx\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 1 of 19\n\nThus, I decided to conduct an analysis of this Smishing attack.\r\nTable of contents\r\nAnalysing the SMS message\r\nExperimenting with User-Agents\r\n– Android User-Agent\r\n– iPhone User-Agent\r\nDomain analysis\r\n– Duck DNS\r\nConclusion\r\nAnalysing the SMS message\r\nWhen I saw the link 8t9z[.]𝙪y𝙝𝗂𝖼[.]com?xx, I noticed that the font was strange. So I went to BabelStone’s Unicode\r\nanalysis site to check the unicode characters.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 2 of 19\n\nIt was a mix of various fonts. The default characters are the LATIN SMALL LETTER. The anomalous characters\r\nare the MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL and MATHEMATICAL SANS-SERIF SMALL.\r\nGet Lena’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nI converted the 𝙪y𝙝𝗂𝖼 part to hex using CyberChef,\r\nPress enter or click to view image in full size\r\nThe hex value for each of the characters are as follows, only ‘y’ corresponded to an ASCII hex value.\r\n𝙪: f0 9d 99 aa\r\ny: 79\r\n𝙝: f0 9d 99 9d\r\n𝗂: f0 9d 97 82\r\n𝖼: f0 9d 96 bc\r\nHere are some other variations of the Smishing text,\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 3 of 19\n\nExperimenting with User-Agents\r\nTrying to access the link on my Debian Chrome browser showed page can’t be found.\r\nPress enter or click to view image in full size\r\nThe packet capture shows my User-Agent as,\r\nMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0\r\nSafari/537.36\r\nThe HTTP response to the GET request was 404 Not Found.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 4 of 19\n\nI went to “Inspect” \u003e “More tools” \u003e “Network conditions”. From there, I can specify the User-Agent.\nThe html code for 8t9z[.]𝙪y𝙝𝗂𝖼[.]com?xx looks like the following,\n\nGiven that this Smishing link was sent to a mobile device, I assumed that I will need to change the User-Agent to\na mobile device one, like iPhone or Android.\nAndroid User-Agent\nI chose Chrome — Android Mobile which has a User-Agent of\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\nPage 5 of 19\n\nMozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like\r\nGecko) Chrome/109.0.0.0 Mobile Safari/537.36\r\nReloading the link showed the following message,\r\nセキュリティ向上のため,最新バージョンのChromeにアップデートしてください。’\r\nWhich translates to,\r\nFor better security, please update to the latest version of Chrome.\r\nPress enter or click to view image in full size\r\nClicking OK will download a file called chrome.apk.\r\nPress enter or click to view image in full size\r\nAndroid User-Agent analysis\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 6 of 19\n\nI applied the filters http || dns to the packet capture, which shows the HTTP GET request and response, DNS\r\nrequest and response.\r\nPress enter or click to view image in full size\r\nA DNS request to 8t9z[.]uyhic[.]com is made, and an IP of 103[.]80.134.41 is returned. This is flagged as\r\nmalicious by multiple vendors on VirusTotal.\r\nPress enter or click to view image in full size\r\nOver 200 domains that are associated with this IP can be seen, where one of them is 8t9z[.]uyhic[.]com.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 7 of 19\n\nThe HTTP response was 200 OK when I accessed the link using an Android Mobile User-Agent.\r\nPress enter or click to view image in full size\r\nA GET request for chrome.apk can be seen with a HTTP response of 200 OK, where the content type is a\r\napplication/vnd.android.package-archive.\r\nPress enter or click to view image in full size\r\nMultiple vendors on VirusTotal have flagged chrome.apk as malicious, namely an Android Trojan.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 8 of 19\n\nI used JoeSandbox to analyse the malware, and various malicious behaviours could be seen, such as Has\r\npermission to send SMS in the background, Has permission to perform phone calls in the background, Has\r\npermission to read contacts, etc.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 9 of 19\n\nThis chrome.apk makes various permission requests like android.permission.SEND_SMS,\r\nandroid.permission.CALL_PHONE, android.permission.READ_CONTACTS.\r\nPress enter or click to view image in full size\r\niPhone User-Agent\r\nI chose “Chrome — iPhone” which has a User-Agent of\r\nMozilla/5.0 (iPhone; CPU iPhone OS 13_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like\r\nGecko) CriOS/109.0.0.0 Mobile/15E148 Safari/604.1.\r\nVisiting the link showed the following message,\r\nAPP Storeアカウントは安全異常があるので、再度ログインしてください。\r\nWhich translates to,\r\nThere’s a security problem on the APP Store account, please login again.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 10 of 19\n\nAfter pressing OK , a fake Apple Login page with the URL twnispwfis[.]duckdns.org is loaded.\r\nPress enter or click to view image in full size\r\nOn the fake login page, you can input an email and a password, so I inputted a fake email and a password. It\r\nloaded for a few seconds after entering the credentials but did not return an incorrect login response.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 11 of 19\n\nThe redirect URL, namely the subdomain of duckdns[.]org changes dynamically. A few hours prior,\r\n8t9z[.]𝙪y𝙝𝗂𝖼[.]com lead to tmsbqrgbqs.duckdns[.]org.\r\nPress enter or click to view image in full size\r\nA few hours later, it lead to wydxfaucvt.duckdns[.]org.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 12 of 19\n\niPhone User-Agent analysis\r\nI applied the filters http || dns, which shows the HTTP GET request and response, DNS request and response. It\r\nmakes a DNS request to 8t9z[.]uyhic[.]com, similar to the Android User-Agent.\r\nPress enter or click to view image in full size\r\nThe HTTP response was 200 OK when I accessed the link using an iPhone Mobile User-Agent.\r\nPress enter or click to view image in full size\r\nNext, a DNS request to twnispwfis[.]duckdns.org is made, and there’s a response 91[.]204[.]227[.]86. This IP is\r\nflagged as malicious by multiple vendors on VirusTotal.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 13 of 19\n\nAt the time of my investigation, over 200 passive DNS replications could be seen for this IP, which follows the\r\npattern *.duckdns.org.\r\nPress enter or click to view image in full size\r\nA GET request to twnispwfis[.]duckdns.org can be seen, with a HTTP response of 302 Found. The server uses\r\nKestrel, with a X-Rate-Limit-Limit of 24h, X-Rate-Limit-Remaining of 12.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 14 of 19\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nWhen I inputted the fake email and a password, a GET request with the password bbbb in plaintext could be seen.\r\n/api/SampleData/Login/aaaa%40fakemail.com/bbbb\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nIf valid iCloud credentials are inputted, the iCloud account will be hijacked.\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 15 of 19\n\nDomain analysis\r\nI analysed the WHOIS information for uyhic[.]com, which shows that this domain was created on 2022–12–21,\r\nand the registrar is GoDaddy.com, LLC\r\n$ whois uyhic.com\r\n...\r\nDomain Name: uyhic.com\r\nRegistry Domain ID: 2746350565_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.godaddy.com\r\nRegistrar URL: https://www.godaddy.com\r\nUpdated Date: 2022-12-22T01:23:49Z\r\nCreation Date: 2022-12-21T23:41:32Z\r\nRegistrar Registration Expiration Date: 2023-12-21T23:41:32Z\r\nRegistrar: GoDaddy.com, LLC\r\nRegistrar IANA ID: 146\r\n...\r\nRegistrant Name: Registration Private\r\nRegistrant Organization: Domains By Proxy, LLC\r\nRegistrant Street: DomainsByProxy.com\r\nRegistrant Street: 2155 E Warner Rd\r\nRegistrant City: Tempe\r\nRegistrant State/Province: Arizona\r\n...\r\nVirusTotal also shows the subdomains for uyhic[.]com.\r\nPress enter or click to view image in full size\r\nAlso, inputting the mixed font 𝙪y𝙝𝗂𝖼[.]com on WHOIS will return an invalid query.\r\n$ whois 𝙪y𝙝𝗂𝖼.com\r\n% IANA WHOIS server\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 16 of 19\n\n% for more information on IANA, visit http://www.iana.org\r\n%\r\n% Error: Invalid query 𝙪y𝙝𝗂𝖼.com\r\nThe WHOIS information for duckdns[.]org shows that the creation date is rather old, 2013–04–12, and the\r\nregistrar is Gandi SAS.\r\n$ whois duckdns.org\r\n...\r\nDomain Name: duckdns.org\r\nRegistry Domain ID: a108d0094d304d7ba51b8d4648318aa4-LROR\r\nRegistrar WHOIS Server: http://whois.gandi.net\r\nRegistrar URL: http://www.gandi.net\r\nUpdated Date: 2023-01-15T18:06:54Z\r\nCreation Date: 2013-04-12T19:58:56Z\r\nRegistry Expiry Date: 2029-04-12T19:58:56Z\r\nRegistrar: Gandi SAS\r\nRegistrar IANA ID: 81\r\n...\r\nRegistrant Country: GB\r\nRegistrant Phone: REDACTED FOR PRIVACY\r\nRegistrant Phone Ext: REDACTED FOR PRIVACY\r\nRegistrant Fax: REDACTED FOR PRIVACY\r\nRegistrant Fax Ext: REDACTED FOR PRIVACY\r\n...\r\nDuck DNS\r\nThe duckdns[.]org itself is not malicious, as it is a “free dynamic DNS hosted on Amazon VPC”.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 17 of 19\n\nAccording to MalwareBytes,\r\nThe domain duckdns.org hosts a free service which will point a DNS (sub domains of duckdns.org) to\r\nan IP of your choice. Unfortunately this service is often abused by phishers.\r\nAs this is a free service that provides dynamic DNS, it is commonly abused for malicious purposes. A lot of\r\nsubdomains of duckdns[.]org are malicious, and is frequently used for fake login pages.\r\nFor the IP address 91[.]204[.]227[.]86, multiple new subdomains of duckdns[.]org are resolved each day by\r\nVirusTotal.\r\nPress enter or click to view image in full size\r\nThe following shows some variations of the Duck DNS abuse Smishing texts,\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 18 of 19\n\nWhenever you come across a link that looks something like *.duckdns[.]org, be careful!\r\nConclusion\r\nAccording to the investigation, the strange font link (8t9z[.]𝙪y𝙝𝗂𝖼[.]com?xx in this case) first checks for the User-Agent, and redirects the victim to a phishing site that matches their User-Agent. Also, the strange font link only\r\nloads if the victim’s IP is in Japan.\r\nAndroid User-Agent: Redirects the user to a site that downloads an Android Malware called chrome.apk\r\niPhone User-Agent: Redirects the user to a fake Apple login site that steals iCloud login credentials. The\r\nfake login page is a subdomain of duckdns[.]org, and the redirected subdomain of duckdns[.]org changes\r\ndynamically.\r\nPlease let me know if you come across interesting Smishing, and phishing examples.\r\nThank you for reading!\r\nSource: https://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nhttps://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7"
	],
	"report_names": [
		"a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7"
	],
	"threat_actors": [],
	"ts_created_at": 1777949142,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/83666694a30f3ec170ad967676e13e1220bfc704.pdf",
		"text": "https://archive.orkl.eu/83666694a30f3ec170ad967676e13e1220bfc704.txt",
		"img": "https://archive.orkl.eu/83666694a30f3ec170ad967676e13e1220bfc704.jpg"
	}
}