A newly identified series of smishing attacks has been linked to compromised Milesight Industrial Cellular Routers. Researchers at Sekoia.io’s Threat Detection & Research team discovered that threat actors were exploiting the routers’ APIs to send fraudulent text messages. This tactic has repeatedly targeted Belgian users, impersonating official government services.
The malicious activity was first detected on July 22, 2025, when honeypots recorded suspicious requests. Investigators found that the manipulated routers were sending SMS messages that contained phishing links. These messages were often disguised as communications from CSAM and eBox, two widely used Belgian government platforms. The texts were written in Dutch and French and consistently used Belgium’s +32 country code.
Sekoia.io noted that more than 19,000 of these routers are accessible on the public internet, and at least 572 of them are exposed to unauthenticated access. This vulnerability allows attackers to send or retrieve SMS messages without needing to log in. Logs suggest that this technique has been in use since at least February 2022.
Although these campaigns have also reached France, Italy, Sweden, and other countries, Belgium remains the most frequent target. Between November 2022 and July 2025, multiple distinct operations impersonated federal authentication and digital mailbox services. In June and July 2025 alone, several new phishing domains mimicking these services were registered. The smishing campaigns often follow a validation phase: attackers test whether a compromised router can send SMS messages by directing initial texts to numbers they control. Once confirmed, the devices are then used to launch mass phishing waves.
The infrastructure supporting these campaigns appears to be tied to Lithuanian hosting provider Podaon, with phishing domains frequently registered through NameSilo. Some of the fraudulent websites even used scripts to restrict access from non-mobile devices, a tactic that limits detection by security analysts. Sekoia.io’s findings highlight how vulnerable equipment is being leveraged to conduct wide-reaching fraud.
Reference:
