Lighthouse

Lighthouse is a phishing-as-a-service (PhaaS) / smishing kit associated with the Chinese-speaking, financially motivated Smishing Triad. Google and multiple cited reports describe it as tooling sold to enable low-skill operators to run large-scale SMS phishing and e-commerce fraud campaigns. The kit is used to send scam text messages and deliver links to fraudulent websites impersonating brands and agencies including USPS, E-ZPass, banks, Google properties, and other trusted services. Victims are lured with themes such as unpaid tolls, package redelivery fees, vehicle registration issues, and similar payment pretexts, then prompted to submit credentials, banking information, payment card data, and in some cases MFA codes.

Reported Lighthouse capabilities include phishing templates, domain setup tools, malicious SMS distribution support, and licensing models ranging from weekly to permanent subscriptions. Google reporting states the kits offer separate versions for SMS scams and e-commerce scams, include hundreds of fake-site templates, and have been used to generate very large numbers of phishing sites. The operation has been described as affecting more than 1 million victims across more than 120 countries, with reporting alleging theft of large volumes of U.S. payment card data. Researchers also reported more than 100 counterfeit templates impersonating Google login, Gmail, YouTube, and Google Play.

Recent reporting describes an evolution from previously documented PHP-based infrastructure to a Javalin/Kotlin-based phishing kit hosted on Alibaba Cloud. Observed infrastructure included a primary phishing server at 47.245.93.160 running Javalin on Jetty behind nginx, using Host-header-based routing for campaign-specific phishing pages, zero-byte 404 responses for unmatched hosts, a WebSocket-based admin panel at /console/, wildcard DNS, and rapid Let’s Encrypt certificate issuance. Campaign domains were observed to be rapidly rotated, often remaining active only 2 to 7 days, with 61 domains tracked over a 28-day period and registrations tied to Gname.com. Server-side exfiltration to the Telegram Bot API was reported, and oak-tel.com / Carrie SMS was identified as an SMS distribution platform used in the ecosystem.

A notable finding attributed the Lighthouse kit and core Smishing Triad tooling to Wang Duo Yu. Breakglass Intelligence reported that an obfuscated backdoor was embedded in the JQ.js file distributed with kit deployments. The backdoor allegedly stole operators’ Telegram bot tokens and exfiltrated them to a server controlled by Wang Duo Yu, giving him access to stolen victim data from downstream operators using the kit. Reported related infrastructure included 102.165.14.4 (telegrambotcheck.duckdns.org), described as a Windows-hosted Python Twisted web application handling token submission and validation via /receive_token on port 5000, with additional exposed services including RDP, WinRM, and RPC.

High-confidence infrastructure and behavioral indicators mentioned in the reporting include 47.245.93.160, 102.165.14.4, telegrambotcheck.duckdns.org, the Javalin servlet fingerprint io.javalin.jetty.JavalinJettyServlet-3ba0ae41, Telegram Bot API exfiltration via api.telegram.org/bot{TOKEN}/sendMessage, and the /console/ admin path. Lighthouse has been the subject of Google legal action in the U.S. District Court for the Southern District of New York, including RICO-related claims aimed at dismantling the operation’s infrastructure.