{
	"id": "8e5768d7-687c-4e07-a742-9de352669d02",
	"created_at": "2026-04-06T00:15:49.660362Z",
	"updated_at": "2026-04-10T03:27:55.945753Z",
	"deleted_at": null,
	"sha1_hash": "de53817052c9e9b0798660caaecbc365ffba3965",
	"title": "Resecurity | Smishing Triad Impersonates Emirates Post to Target UAE Citizens",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2207385,
	"plain_text": "Resecurity | Smishing Triad Impersonates Emirates Post to Target\r\nUAE Citizens\r\nPublished: 2023-09-25 · Archived: 2026-04-02 10:40:15 UTC\r\nIntroduction\r\nThis month, “Smishing Triad” has vastly expanded its attack footprint in the UAE. Resecurity, a leader in\r\ncybersecurity and threat intelligence, has identified domain names that closely resemble those used by the group\r\nin their previous campaigns. Threat actors registered the majority of these UAE-focused domains with\r\nGname.com Pte. Ltd., a Singapore-based web registrar.\r\n“Smishing Triad” fraudsters also listed various Chinese entities as registrant organizations, or the owners of the\r\nfraudulent domains. Similarities in domain signatures noted by Resecurity indicate a calculated and ongoing threat\r\nto the Emirates. The assessment that “Smishing Triad” is hyper-targeting victims in the Emirates is further\r\nsupported by the group’s geo-filtering of smishing page access to UAE citizens only.\r\nResecurity specifically observed this geo-fencing of IP addresses in smishing lures cast out to impersonate the\r\nEmirates Post, the UAE’s official parcel delivery service. In fact, UAE-focused fraud campaigns imitating official\r\nEmirates Post communications were first confirmed in May, according to local news reports.\r\nExample of 'smishing' text\r\nResecurity specifically observed this geo-filtering of IP addresses in smishing lures cast out to impersonate the\r\nEmirates Post, the UAE’s official parcel delivery service. “Smishing Triad” is also leveraging compromised Apple\r\niCloud accounts and illegally obtained databases that contain the personally identifying information (PII) of UAE\r\ncitizens to stage their attacks.\r\nhttps://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens\r\nPage 1 of 9\n\nSpecifically, the threat actor acquires UAE resident databases from the Dark Web and launches their smishing\r\nattacks from iCloud accounts they have previously compromised. Resecurity has already alerted and shared\r\nrelevant information with the national Computer Emergency Response Team for the United Arab Emirates\r\n(AeCERT).\r\nResecurity’s HUNTER (HUMINT) unit also blocked the majority of malicious domains that were flagged this\r\nweek. But the battle against “Smishing Triad” threat actors continues.\r\nTheir Goal: To Defraud the Emirates Citizens\r\nTheir Objective\r\n“Smishing Triad” has a singular, malign goal: to defraud Emirati citizens. By employing sophisticated tactics, the\r\ngroup aims to extract sensitive PII and financial data from unsuspecting victims.\r\nTheir Modus Operandi\r\nThe group typically sends out malicious text messages from iCloud accounts they have previously hijacked, while\r\nmasquerading as reputable organizations like government agencies, financial institutions (FIs), and shipping firms.\r\nThese messages are designed to dupe people into divulging their PII and financial data. “Smishing Triad” then\r\nuses this stolen data to defraud individuals and businesses. To target prospective victims, “Smishing Triad”\r\nacquires geo-specific PII databases obtained from access brokers on the Dark Web.\r\nRegarding the group’s malicious infrastructure, Resecurity has observed “Smishing Triad” threat actors registering\r\nfraudulent domains through Singaporean website registrar Gname.com Pte. Ltd.\r\nTechnical Insights\r\nDomain Details - Key Information\r\nhttps://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens\r\nPage 2 of 9\n\nDomain Name: dwu6.top\r\nRegistrar: Gname.com Pte. Ltd.\r\nCreation Date: 2023-09-13\r\nRegistry Expiry Date: 2024-09-13\r\nName Servers: a.share-dns.com, b.share-dns.net\r\nAnalysis\r\nThe domain, dwu6.top, is a critical asset in “Smishing Triad's” campaign against the UAE. Its structure and\r\nregistration details closely mirror those of domains used in earlier campaigns, suggesting a consistent and\r\nevolving modus operandi.\r\nTactics, Techniques, and Procedures\r\niMessage as a Delivery Method\r\n“Smishing Triad” is known to use compromised iCloud accounts to send iMessages, a tactic that makes their SMS\r\nscams more credible. The group is targeting UAE-specific users, while masquerading as the Emirates Post and\r\nother local organizations.\r\nThe victim will be asked to select the payment option, typically a small fee, then on the next page they're asked\r\nto enter personal and credit card information.\r\nhttps://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens\r\nPage 3 of 9\n\nThe next screen, the victim is asked to enter their personal information followed by the request to proceed with the\r\npayment (credit card) information.\r\nhttps://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens\r\nPage 4 of 9\n\nFraud-as-a-Service\r\nBeyond proprietary smishing attacks, the group also offers 'smishing kits' for sale on platforms like Telegram. This\r\nfraud-as-a-service (FaaS) model enables “Smishing Triad” to scale their operations by empowering other\r\ncybercriminals to leverage their tooling and launch independent attacks.\r\nConclusion\r\nThe Need for Vigilance\r\nAs “Smishing Triad” expands its FaaS operations to target the Emirates, both cybersecurity agencies and UAE\r\ncitizens must remain vigilant. Fraud awareness campaigns and educational programs are essential first lines of\r\ndefense against these rapidly evolving threats.\r\nProactive Measures\r\nEmpowered by Resecurity’s discovery of the domain names and attack patterns associated with “Smishing Triad,”\r\ncybersecurity agencies are now capable of engaging in proactive monitoring, intervention, and mitigation. These\r\nmeasures could involve taking down malicious domains, tracking down threat actors behind them, and\r\nimplementing more robust cybersecurity controls to protect UAE citizens.\r\nPer Article 11 of the 2021 Emirates’ Cybercrime Law, “creating fake websites, email accounts, or impersonating\r\nsomeone else can lead to detention and fines ranging from AED 50,000 to AED 200,000. If these fabricated\r\naccounts are used to harm the victim, the perpetrator may face imprisonment for a minimum of two years.”\r\nPenalties for cybercriminal offenses that harm UAE nationals or organizations become even harsher when “state\r\ninstitutions' websites or accounts are involved, leading to imprisonment for up to five years and fines ranging from\r\nAED 200,000 to AED 2,000,000.”\r\nhttps://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens\r\nPage 5 of 9\n\nTo assist victims of cybercrime, the government of the UAE has established multiple “easy reporting” services\r\nthat include a dedicated ‘e-crime website,’ the Dubai Police website, and the ‘My Safe Society’ application. These\r\nuser-friendly tools allow UAE residents to easily report cybercrime incidents.\r\nThe UAE has also established the ‘Cyber Pulse’ Initiative, an endeavor that “aims to encourage community\r\nmembers in the UAE to play a part in cybersecurity efforts. It seeks to enhance public awareness on suspicious\r\nonline activities and the necessary steps to be taken from becoming a victim of ePhishing.”\r\nTo defend against the growing threat of “Smishing Triad” and other cybercriminal actors, UAE citizens and\r\nresidents should consider the following best practices:\r\nAvoid publishing private contact information on unreliable online platforms\r\nBe cautious of unknown links sent through text messages or emails\r\nOnly download apps from trusted sources\r\nKeep backup copies of personal data\r\nRegularly update smartphone operating systems\r\nWatch for signs of electronic fraud, such as abnormal battery consumption or slower processing speeds\r\nIOC (Indicators of compromise)\r\nDomains focusing on Telegram\r\ntelegram-1[.]org telagran[.]org telegram-j[.]org\r\ntelagram-1[.]org telagram-i[.]org telagram-l[.]org\r\ntelegram-1i[.]org telegram-h[.]org telegram-il[.]org\r\ntelegram-jl[.]org telegram-jt[.]org telegram-u[.]org\r\ntelegram-y[.]org telagrem-l[.]org\r\nAll Other Domains\r\n0pti[.]top comnmbak[.]vip nl29s[.]xyz\r\n15ip[.]top comnmbank[.]vip nml1[.]org\r\n1hx0[.]top comnmbnk[.]vip nnu4l[.]top\r\n1iw3[.]top comnnbak[.]xyz nudl0l[.]top\r\n1lv0[.]top comnnbank[.]vip nv7d[.]top\r\n1obs[.]top conmmbak[.]vip nyav[.]top\r\n1oin[.]top conmmbank[.]vip o1z0[.]top\r\nhttps://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens\r\nPage 6 of 9\n\n1yl[.]top conmnbak[.]vip odhb[.]top\r\n1yll[.]top conmnbank[.]vip odl2[.]top\r\n20in[.]top connmbak[.]vip og3u[.]top\r\n2lfy[.]top connmbank[.]vip p1cz[.]top\r\n2wao[.]top cpiz[.]top p1ml[.]top\r\n2wgh[.]top d7fk[.]top pkaj[.]top\r\n2x0o[.]top df1u[.]org qan1[.]top\r\n2xlb[.]top dkii[.]top qq7t[.]top\r\n3cqp[.]top dly1[.]top qrvk[.]top\r\n3dal[.]top edi8[.]top r4lg[.]top\r\n3guf[.]top efij[.]top ra1p[.]top\r\n3gul[.]top eha1[.]top rij1[.]org\r\n3l7xk[.]top emtg[.]top rs1u[.]top\r\n4cel[.]top erjj[.]top rstv[.]top\r\n4ece[.]top f5pl[.]top s9bj[.]top\r\n4eyz[.]top fbx8[.]top sin3l[.]top\r\n4jzo[.]top fet4[.]top suic[.]top\r\n5a7p[.]top ffm7[.]top svq6[.]top\r\n5fzx[.]top gj9t[.]top szp2[.]top\r\n5iacc[.]top gjeg[.]top t2wr[.]top\r\n5qfk[.]top gzki[.]org t78k[.]top\r\n5ta1[.]top gzn6[.]top tga3[.]top\r\n60xm[.]top h14i[.]top tnuk[.]top\r\n6llp[.]top hb06[.]top ttp0[.]top\r\n6pjj[.]top hb1i[.]org u4ae[.]top\r\n7at3[.]top i2lk[.]top ueox5[.]top\r\n7e3w[.]top i2ro[.]top uld3s[.]xyz\r\nhttps://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens\r\nPage 7 of 9\n\n7pyi[.]top i73o[.]top un3ls[.]xyz\r\n8h5c[.]top ig3s[.]top unfl3[.]top\r\n8jcy[.]top ikdle3[.]top unfo3[.]top\r\n8vei[.]top iknv[.]top unrpl[.]top\r\n9cau[.]top im3ls[.]top ups1[.]top\r\n9llu[.]top inr3l[.]xyz upsl[.]top\r\na1hr[.]top irjy[.]top us3ls[.]top\r\na1ic[.]top itd1[.]org uvm2[.]top\r\na4kh[.]top ixva[.]top uwqb[.]top\r\na78p[.]top j7cp[.]top uyb1o[.]top\r\nabt7[.]top jh0l[.]org v0fj[.]top\r\naggq[.]top jhi7[.]top v6il[.]top\r\nai0y[.]top jk1q[.]top vgeq[.]top\r\nak3z[.]top jlinx[.]top vjya[.]top\r\nakq4[.]top jo3lk[.]xyz vmn1[.]top\r\nalpxm[.]top juil[.]top vp4f[.]top\r\naqty[.]top jusl3[.]top w0mq[.]top\r\natp2[.]top kcns1[.]top w3ot[.]top\r\nauck[.]top kcx1i[.]top w3zx[.]top\r\nauek[.]top koxw[.]top waxk[.]top\r\nawx1[.]top ku6t[.]top wd9g[.]top\r\nb4vt[.]top kwl1[.]org wu1rn[.]top\r\nbfc1[.]top l1sl[.]top wvqc[.]top\r\nbue9l[.]xyz l3y[.]in x4ld[.]top\r\nbxav[.]top l5gl[.]top x6io[.]top\r\nc6lm[.]top l9mf[.]top xs14[.]top\r\nccmmbank[.]vip ldp8[.]top xym3[.]top\r\nhttps://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens\r\nPage 8 of 9\n\ncd1l[.]org lr2k[.]top yis3k[.]top\r\ncdl6[.]top ls9l[.]top yjdo[.]top\r\ncfqo[.]top mg1a[.]top yq0r[.]top\r\ncombank[.]top mloe2[.]top yqlo[.]top\r\ncommbak[.]vip mu-2[.]top ysio[.]top\r\ncommbak[.]xyz myr7[.]top yxw6[.]top\r\ncommmbak[.]vip n30sk[.]top z0mi[.]top\r\ncommnbank[.]vip n3d8[.]top z14r[.]top\r\ncommnbank[.]xyz ncjg[.]vip z4lg[.]top\r\ncommsbiz[.]top nh2s[.]top zirq[.]top\r\ncomnbank[.]vip nisl0[.]top zua9[.]top\r\ncomnbank[.]xyz niss[.]top zzg0[.]top\r\nSource: https://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens\r\nhttps://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens"
	],
	"report_names": [
		"Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens"
	],
	"threat_actors": [
		{
			"id": "e479024b-389e-4dcf-87a3-4a31144315da",
			"created_at": "2024-04-19T02:00:03.621555Z",
			"updated_at": "2026-04-10T02:00:03.614321Z",
			"deleted_at": null,
			"main_name": "Smishing Triad",
			"aliases": [],
			"source_name": "MISPGALAXY:Smishing Triad",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434549,
	"ts_updated_at": 1775791675,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de53817052c9e9b0798660caaecbc365ffba3965.pdf",
		"text": "https://archive.orkl.eu/de53817052c9e9b0798660caaecbc365ffba3965.txt",
		"img": "https://archive.orkl.eu/de53817052c9e9b0798660caaecbc365ffba3965.jpg"
	}
}