Pulse Detail — Threat Intelligence

PULSE NAME

Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted

WHITE AlienVault 2026-05-27 Modified: 2026-05-28

IOCs

HIGH VOLUME

A coordinated smishing operation spanning 19 countries across Europe, the Americas, and the Caucasus has been exposed, originating from fraudulent SMS messages impersonating Romania's government payment portal Ghișeul.ro. Investigation revealed 1,628 malicious URLs linked by a single 128-character campaign identifier, targeting government portals, traffic police departments, postal services including DPD and SEUR, tax authorities, and telecommunications providers like T-Mobile and Vodafone. The infrastructure utilizes 32 backend IP addresses distributed across Tencent Cloud, Alibaba Cloud, Cloudflare CDN, and ALEXHOST Moldova. Threat actors employ two distinct phishing templates: a Vue.js single-page application and a Bootstrap-based clone, executing a four-stage credential harvesting process that collects complete payment card details through fabricated traffic fines, toll payments, and delivery notifications.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1583 T1204.002 T1566.002 T1598.003 T1586.002 T1608.001 T1583.001 T1560 T1090 T1584 T1586 T1102 T1608 T1583.006 T1204 T1041 T1566 T1078 T1598 T1213 T1584.001

Indicators of Compromise (90)

All FileHash-MD5 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	5756505bc94149dda328a2721561cab6	—	2026-05-27
URL	http://ghisaul.lat/ro	—	2026-05-27
URL	http://ghiseul-ro.cyou/	—	2026-05-27
URL	http://ghiseul-ro.sbs/	—	2026-05-27
URL	http://ghiseul-ro.shop/	—	2026-05-27
URL	http://ghiseul.cfd/pay	—	2026-05-27
URL	http://ghiseul.eu.cc/pay	—	2026-05-27
URL	http://www.ghiseul.ro/ghiseul/public/	—	2026-05-27
URL	http://www.ghiseul.ro/ghiseul/public/css/bootstrap-theme.css	—	2026-05-27
URL	http://www.ghiseul.ro/ghiseul/public/css/bootstrap.min.css	—	2026-05-27
URL	http://www.ghiseul.ro/ghiseul/public/css/font-awesome.min.css	—	2026-05-27
URL	http://www.ghiseul.ro/ghiseul/public/css/jquery-ui.structure.min.css	—	2026-05-27
URL	http://www.ghiseul.ro/ghiseul/public/css/simple-line-icons.css	—	2026-05-27
URL	https://ghiseal.lat/ro/	—	2026-05-27
URL	https://ghiseal.lat/ro/#/index	—	2026-05-27
URL	https://ghiseul.autos/ro/	—	2026-05-27
URL	https://ghiseul.cyou/pay	—	2026-05-27
URL	https://ghisiul.lat/ro/	—	2026-05-27
URL	https://ghizeul.lat/ro/	—	2026-05-27
URL	https://www.ghiseul-ro.bond/ghiseul/public/	—	2026-05-27
URL	https://www.ghiseul-ro.cfd/ghiseul/public/	—	2026-05-27
URL	https://www.ghiseul.govro.one/ghiseul/public/	—	2026-05-27
URL	https://www.ghiseul.ro/ghiseul/public/	—	2026-05-27
URL	https://www.ghiseulro.cyou/ro/	—	2026-05-27
domain	dpd-lv.top	—	2026-05-27
domain	dpde.lat	—	2026-05-27
domain	dpdlv.bond	—	2026-05-27
domain	dsvag.sbs	—	2026-05-27
domain	dsvav.cfd	—	2026-05-27
domain	dsvcv.cfd	—	2026-05-27
domain	dsvxk.cyou	—	2026-05-27
domain	e-csddlv.top	—	2026-05-27
domain	fanveris.cyou	—	2026-05-27
domain	ghisaul.lat	—	2026-05-27
domain	ghiseal.lat	—	2026-05-27
domain	ghiseul-ro.cyou	—	2026-05-27
domain	ghiseul-ro.sbs	—	2026-05-27
domain	ghiseul-ro.shop	—	2026-05-27
domain	ghiseul.autos	—	2026-05-27
domain	ghiseul.cfd	—	2026-05-27
domain	ghiseul.cyou	—	2026-05-27
domain	ghisiul.lat	—	2026-05-27
domain	ghizeul.lat	—	2026-05-27
domain	gobal-store-hub.shop	—	2026-05-27
domain	gov-si.cam	—	2026-05-27
domain	gov-si.qpon	—	2026-05-27
domain	gov-si.sbs	—	2026-05-27
domain	gov-si.xin	—	2026-05-27
domain	gove.lat	—	2026-05-27
domain	govh.lat	—	2026-05-27
domain	govj.lat	—	2026-05-27
domain	govk.lat	—	2026-05-27
domain	govl.lat	—	2026-05-27
domain	govo.lat	—	2026-05-27
domain	govsi.bar	—	2026-05-27
domain	mvr-gov-mk.cyou	—	2026-05-27
domain	mvrbg.ink	—	2026-05-27
domain	mvrbg.life	—	2026-05-27
domain	mvrbg.sbs	—	2026-05-27
domain	mvrcc.lat	—	2026-05-27
domain	mvri.lat	—	2026-05-27
domain	mvrx.lat	—	2026-05-27
domain	roadpolice-am.icu	—	2026-05-27
domain	roadpolice-am.shop	—	2026-05-27
domain	roadspolice.lat	—	2026-05-27
domain	seur-bcdef.cc	—	2026-05-27
domain	seur-cztwp.club	—	2026-05-27
domain	seur-fghij.org	—	2026-05-27
domain	seur-fqlap.cyou	—	2026-05-27
domain	seur-hijkl.cc	—	2026-05-27
domain	seur-hxrz.org	—	2026-05-27
domain	seur-jwqec.link	—	2026-05-27
domain	seur-rmvxq.club	—	2026-05-27
domain	seur-rxkmd.cyou	—	2026-05-27
domain	seur-yzabc.com	—	2026-05-27
domain	seur-zkryw.cloud	—	2026-05-27
domain	tesco-redeem-check.bond	—	2026-05-27
domain	vodafaone.shop	—	2026-05-27
domain	worldmartonline.com	—	2026-05-27
hostname	dpd.ie-com.vip	—	2026-05-27
hostname	e-uprava.gov-si.shop	—	2026-05-27
hostname	e.csdd.govlv.cam	—	2026-05-27
hostname	hoiatustrahv.politsei.gov-ee.bond	—	2026-05-27
hostname	mvr.govmk.cam	—	2026-05-27
hostname	mvr.govmk.one	—	2026-05-27
hostname	sumin.lrv-lt.shop	—	2026-05-27
hostname	www.ghiseul-ro.bond	—	2026-05-27
hostname	www.ghiseul-ro.cfd	—	2026-05-27
hostname	www.ghiseul.govro.one	—	2026-05-27
hostname	www.ghiseulro.cyou	—	2026-05-27

References (1)

↗ https://hunt.io/blog/massive-smishing-campaign-governments-postal-telecoms