Abuse of Industrial Routers for SMS Phishing Campaigns Uncovered
Dennis Knake
Posted On 5th October 2025
Criminals are exploiting unsecured cellular routers in industrial environments to send massive amounts of phishing SMS messages. According to a report by the IT magazine Ars Technica, based on analyses by the cybersecurity company Sekoia, devices from the Chinese manufacturer Milesight IoT Co., Ltd. are primarily affected.
The affected routers of type UR35 are originally intended for industrial applications—such as networking traffic lights or electricity meters. They use 3G, 4G, or 5G SIM cards and can be controlled via SMS, web interface, or Python scripts. According to Sekoia, researchers discovered suspicious network activity in honeypots that led to the identification of more than 18,000 publicly accessible routers. At least 572 devices were accessible without authentication. Many were running outdated firmware—some over three years old—and contained known vulnerabilities.
Global phishing campaigns since 2023
Analysis of SMS inboxes and outboxes showed that the devices have been used since October 2023 for so-called “smishing” campaigns (SMS phishing). The messages mainly targeted recipients in Sweden, Belgium, and Italy. They urged users to log in to fake websites that impersonated government or public services to steal login credentials.
Sekoia described the method as an “unsophisticated, yet effective delivery vector”—technically simple but effective. The distributed infrastructure makes it difficult to stop the campaigns, as the SMS are sent across multiple countries.
Unclear attack vector
How exactly the routers were compromised remains unclear, according to Sekoia. One possible cause is the vulnerability CVE-2023-43261, which was fixed in 2023. Due to a misconfiguration, it allowed access to files containing encrypted passwords that could be easily decrypted using the included encryption keys. This vulnerability affected firmware versions up to version 32; however, some compromised devices were running newer, supposedly patched versions.
According to Sekoia, this suggests that other, previously unknown attack methods may also be in use. The manufacturer Milesight did not respond to a request for comment from Ars Technica.
Obfuscation and Telegram control
According to Sekoia, the associated phishing websites were technically designed to hinder analysis. JavaScript prevented the malicious code from displaying on desktop computers and blocked functions such as right-clicking or debugging. Some sites transmitted user data through the Telegram bot “GroozaBot”, reportedly operated by an actor known as “Gro_oza,” who speaks Arabic and French.
Assessment
The case illustrates how easily common IoT devices can be incorporated into large-scale cyber campaigns. The main problem is that many industrial routers run for years without security updates. For operators of critical infrastructure, this incident highlights that even seemingly minor network components can pose a significant risk.
Summary (tl;dr)
- Sekoia uncovered abuse of industrial Milesight routers for SMS phishing.
- More than 18,000 routers were online, 572 without any protection.
- Campaigns active since 2023, targeting Sweden, Belgium, and Italy.
- Possible cause: CVE-2023-43261, though not confirmed.
- Phishing sites used Telegram bot control and anti-analysis techniques.
Source: Dan Goodin, Ars Technica, “That annoying SMS phish you just got may have come from a box like this,” October 2, 2025.
User Review
( votes)
You may also like
