Hackers have lately leveraged a vulnerability within the web-based administration interfaces of sure mobile routers to co-opt their built-in SMS performance for nefarious functions.
By focusing on uncovered APIs, attackers are in a position to dispatch massive volumes of malicious SMS messages containing weaponized hyperlinks that result in drive-by downloads or credential-stealing pages.
This rising menace vector exploits in any other case authentic community gear, remodeling routers into unwitting proxies for mass phishing campaigns and malware distribution.
Victims obtain SMS texts purporting to be safety alerts or supply notifications, however clicking the embedded URL triggers silent exploitation of gadget vulnerabilities or launches social-engineering traps.
All through August and September 2025, a number of safety operations facilities famous uncommon spikes in SMS visitors originating from residential and enterprise routers somewhat than mobile networks.
Sekoia researchers recognized that menace actors have been systematically scanning for endpoints exposing vendor APIs—significantly on fashions utilizing TR-064 or customized HTTP-based SMS interfaces.
As soon as found, these interfaces allow unauthenticated or weakly authenticated instructions to ship arbitrary SMS messages by way of the SIM card put in within the router.
Though the impacted routers differ by producer, commonalities embody default credentials left unchanged and outdated firmware missing API rate-limiting or enter validation.
The fast proliferation of this method highlights a essential blind spot: community directors not often monitor SMS logs on routers as rigorously as they do community visitors or firewall occasions.
In consequence, large-scale campaigns have gone unnoticed for weeks, permitting attackers to refine their messaging templates and evade detection.
Preliminary lure messages masquerade as two-factor authentication requests or pressing account restoration notifications, exploiting consumer belief in SMS channels. Subsequent campaigns pivot to extra focused bait based mostly on harvested knowledge, growing click-through charges and downstream compromise.
Past the instant threat of credential theft, profitable exploitation can ship secondary payloads that pivot into native networks.
As soon as a sufferer clicks the weaponized hyperlink, a drive-by exploit chain could deploy a backdoor to the consumer’s gadget, granting attackers persistent entry.
CSAM Phishing web page (Supply – Sekoia)
In company environments, this intrusion can facilitate lateral motion, knowledge exfiltration, or enrollment of extra units into the SMS-spam community—amplifying each reconnaissance and monetization alternatives for the menace actors behind these operations.
An infection Mechanism
On the core of this marketing campaign lies the abuse of the router’s SMS API endpoint. Attackers first brute-force or enumerate default administrative credentials to achieve shell-level or web-server entry.
With legitimate entry, they situation HTTP requests that mimic authentic SMS-sending instructions. The only type of this interplay will be illustrated with a curl snippet:-
curl – X POST
– H “Content material-Sort: software/json”
– d ‘{
“username”:”admin”,
“password”:”admin123″,
“vacation spot”:”+15551234567″,
“message”:”Your account requires instant verification:
}’
In lots of affected units, the API fails to implement sturdy enter sanitization, permitting attackers to inject HTML or JavaScript into the message payload.
This permits extra refined assaults, equivalent to weaponized hyperlinks that routinely execute on click on with out browser warnings.
Moreover, the SMS API usually exposes standing codes and supply experiences, offering suggestions that attackers use to measure marketing campaign success and optimize focusing on.
To automate these operations at scale, menace actors have repurposed compromised routers into distributed SMS-spam bots.
Customized scripts cycle by recipient lists, randomize sender IDs, and rotate message templates. Some variants even combine with public paste websites to dynamically replace malicious URLs, evading static detection by URL-filtering options.
By understanding this an infection mechanism, defenders can harden their environments: implement sturdy administrative credentials, disable unused SMS interfaces, and apply firmware updates that incorporate correct authentication and rate-limiting controls.
These measures, mixed with proactive SMS-traffic monitoring, can disrupt the fast development of this stealthy and impactful menace.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most popular Supply in Google.
