{ "type": "IPv4", "indicator": "47.80.70.114", "general": { "whois": "http://whois.domaintools.com/47.80.70.114", "reputation": 0, "indicator": "47.80.70.114", "type": "IPv4", "type_title": "IPv4", "base_indicator": { "id": 4333936720, "indicator": "47.80.70.114", "type": "IPv4", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69f1fa3e73a0897558593b04", "name": "Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns", "description": "Since January 2025, researchers identified over 2,500 phishing domains targeting more than 70 organizations across financial services, telecommunications, and logistics sectors globally. Two dominant smishing campaigns were discovered: Reward Points phishing impersonating banks and telecom providers, and Failed Parcel Delivery phishing mimicking logistics companies. Despite different themes, both campaigns share infrastructure and utilize the Phoenix System administrative panel, a successor to the Mouse System. This Phishing-as-a-Service platform offers real-time victim monitoring, geofencing, IP-based filtering, and live-phishing interventions to bypass multi-factor authentication. The platform is distributed via Telegram channels for approximately $2,000 annually, providing threat actors with pre-built templates, traffic filtering mechanisms, and real-time victim management dashboards. Attackers potentially leverage fake Base Transceiver Stations to bypass carrier-level filtering and deliver messages app...", "modified": "2026-05-29T12:25:38.288000", "created": "2026-04-29T12:31:58.118000", "tags": [ "credential harvesting", "smishing", "phaas", "mfa bypass", "phoenix system", "financial fraud", "bts injection" ], "references": [ "https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Finance", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "IPv4": 15, "URL": 9 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69f346273f2ed62ca398cfd8", "name": "Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns", "description": "The Group-IB research report reveals the existence of the \"Phoenix System,\" an advanced Phishing-as-a-Service (PhaaS) platform used in global smishing campaigns across regions such as APAC, LATAM, Europe, and MEA. This platform facilitates cybercriminals by offering integrated tools for real-time victim monitoring, geofencing, and live intervention to bypass multi-factor authentication. Since January 2025, a notable increase in smishing campaigns has been observed, particularly targeting sectors like financial services, logistics, and telecommunications, with over 2,500 phishing domains identified and more than 70 organizations affected.", "modified": "2026-05-30T12:03:33.616000", "created": "2026-04-30T12:08:07.793000", "tags": [], "references": [ "https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1587.002", "name": "Code Signing Certificates", "display_name": "T1587.002 - Code Signing Certificates" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" } ], "industries": [ "Finance", "Transportation", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69f97a5ecbeb7d1de2f6866f", "name": "Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns", "description": "", "modified": "2026-05-29T12:25:38.288000", "created": "2026-05-05T05:04:30.020000", "tags": [ "credential harvesting", "smishing", "phaas", "mfa bypass", "phoenix system", "financial fraud", "bts injection" ], "references": [ "https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Finance", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": "69f1fa3e73a0897558593b04", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 15, "URL": 9 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69f91415461df47226894741", "name": "ugugyguguguyguyguyguyguyguyguyg", "description": "The full text of this article, published on Wednesday, is subject to copyright. and will not be published again until after the end of the year, but it is possible to find a link.", "modified": "2026-05-04T21:48:05.343000", "created": "2026-05-04T21:48:05.343000", "tags": [ "indicator name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 49, "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 75, "URL": 38, "domain": 38, "hostname": 286 }, "indicator_count": 549, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69f64e5ad6a8f740297614e5", "name": "Large Scale Smishing & Credential Harvesting Campaign using Phoenix PhaaS", "description": "Phishing as a Service platform called Phoenix provides ready made tools and infrastructure which enables large scale smishing campaigns.", "modified": "2026-05-02T19:19:54.218000", "created": "2026-05-02T19:19:54.218000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 15, "URL": 9 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 } ], "references": [ "https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Finance", "Technology", "Telecommunications" ] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Finance", "Technology", "Transportation", "Telecommunications" ] } } }, "false_positive": [], "validation": [], "asn": "ASNone ", "city_data": true, "city": null, "region": null, "continent_code": "NA", "country_code3": "USA", "country_code2": "US", "subdivision": null, "latitude": 37.751, "postal_code": null, "longitude": -97.822, "accuracy_radius": 1000, "country_code": "US", "country_name": "United States of America", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/us.png", "flag_title": "United States of America", "sections": [ "general", "geo", "reputation", "url_list", "passive_dns", "malware", "nids_list", "http_scans" ] }, "geo": { "asn": "ASNone ", "city_data": true, "city": null, "region": null, "continent_code": "NA", "country_code3": "USA", "country_code2": "US", "subdivision": null, "latitude": 37.751, "postal_code": null, "longitude": -97.822, "accuracy_radius": 1000, "country_code": "US", "country_name": "United States of America", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/us.png", "flag_title": "United States of America" }, "geo_ipapicom": { "country": "Philippines", "country_code": "PH", "region": "Metro Manila", "city": "Manila", "zip": "1003", "latitude": 14.5971, "longitude": 120.9798, "timezone": "Asia/Manila", "isp": "Alibaba.com LLC", "org": "Delta Centric LLC, Zenlayer Inc", "asn": "AS45102 Alibaba (US) Technology Co., Ltd.", "asn_name": "ALIBABA-CN-NET", "is_proxy": false, "is_hosting": true, "source": "ip-api.com" }, "pulse_count": 5, "pulses": [ { "id": "69f1fa3e73a0897558593b04", "name": "Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns", "description": "Since January 2025, researchers identified over 2,500 phishing domains targeting more than 70 organizations across financial services, telecommunications, and logistics sectors globally. Two dominant smishing campaigns were discovered: Reward Points phishing impersonating banks and telecom providers, and Failed Parcel Delivery phishing mimicking logistics companies. Despite different themes, both campaigns share infrastructure and utilize the Phoenix System administrative panel, a successor to the Mouse System. This Phishing-as-a-Service platform offers real-time victim monitoring, geofencing, IP-based filtering, and live-phishing interventions to bypass multi-factor authentication. The platform is distributed via Telegram channels for approximately $2,000 annually, providing threat actors with pre-built templates, traffic filtering mechanisms, and real-time victim management dashboards. Attackers potentially leverage fake Base Transceiver Stations to bypass carrier-level filtering and deliver messages app...", "modified": "2026-05-29T12:25:38.288000", "created": "2026-04-29T12:31:58.118000", "tags": [ "credential harvesting", "smishing", "phaas", "mfa bypass", "phoenix system", "financial fraud", "bts injection" ], "references": [ "https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Finance", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "IPv4": 15, "URL": 9 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69f346273f2ed62ca398cfd8", "name": "Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns", "description": "The Group-IB research report reveals the existence of the \"Phoenix System,\" an advanced Phishing-as-a-Service (PhaaS) platform used in global smishing campaigns across regions such as APAC, LATAM, Europe, and MEA. This platform facilitates cybercriminals by offering integrated tools for real-time victim monitoring, geofencing, and live intervention to bypass multi-factor authentication. Since January 2025, a notable increase in smishing campaigns has been observed, particularly targeting sectors like financial services, logistics, and telecommunications, with over 2,500 phishing domains identified and more than 70 organizations affected.", "modified": "2026-05-30T12:03:33.616000", "created": "2026-04-30T12:08:07.793000", "tags": [], "references": [ "https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1587.002", "name": "Code Signing Certificates", "display_name": "T1587.002 - Code Signing Certificates" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" } ], "industries": [ "Finance", "Transportation", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69f97a5ecbeb7d1de2f6866f", "name": "Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns", "description": "", "modified": "2026-05-29T12:25:38.288000", "created": "2026-05-05T05:04:30.020000", "tags": [ "credential harvesting", "smishing", "phaas", "mfa bypass", "phoenix system", "financial fraud", "bts injection" ], "references": [ "https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Finance", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": "69f1fa3e73a0897558593b04", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 15, "URL": 9 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69f91415461df47226894741", "name": "ugugyguguguyguyguyguyguyguyguyg", "description": "The full text of this article, published on Wednesday, is subject to copyright. and will not be published again until after the end of the year, but it is possible to find a link.", "modified": "2026-05-04T21:48:05.343000", "created": "2026-05-04T21:48:05.343000", "tags": [ "indicator name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 49, "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 75, "URL": 38, "domain": 38, "hostname": 286 }, "indicator_count": 549, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69f64e5ad6a8f740297614e5", "name": "Large Scale Smishing & Credential Harvesting Campaign using Phoenix PhaaS", "description": "Phishing as a Service platform called Phoenix provides ready made tools and infrastructure which enables large scale smishing campaigns.", "modified": "2026-05-02T19:19:54.218000", "created": "2026-05-02T19:19:54.218000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 15, "URL": 9 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "47.80.70.114", "type": "IPv4" }, "abuseipdb": { "error": "AbuseIPDB daily limit reached (1,000/day).", "indicator": "47.80.70.114" }, "urlhaus": { "indicator": "47.80.70.114", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780169890.4867659 }