Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

PayTool

Also known asPayTool

PayTool is a phishing and fraud threat actor/ecosystem targeting Canadians, primarily through SMS-based social engineering and traffic violation or fine-payment scams. Reporting describes the activity as an interconnected phishing ecosystem and fraud framework aligned with high-fidelity impersonation of Canadian government services and major brands, including the Government of Canada, provincial traffic/payment services, Canada Post, Air Canada, PayBC, CRA, and 407 ETR. Victims are lured with urgent themes such as unpaid fines, legal action, license suspension, failed deliveries, tax refunds, and booking issues, then directed to fake portals and payment pages designed to harvest PII, financial data, and banking credentials. Observed tradecraft includes smishing, malicious advertisements, SEO poisoning, typosquatting, URL shorteners, province-specific phishing domains, generic fallback domains for rotation when sites are blocked, and fake validation workflows that accept arbitrary values before redirecting victims to fraudulent payment gateways. Infrastructure described in reporting includes a fake “Government of Canada” or “Traffic Ticket Search Portal” experience that routes users to province-specific phishing sites, as well as Air Canada-themed typosquat sites that clone legitimate branding assets. Flare Research reported 37 scam websites associated with PayTool in the past 12 months and identified over 900 potential victims in a current campaign. CloudSEK reported over 70 canada.ca-impersonating sites on a single IP and assessed that the operation is being commercialized as phishing-as-a-service. The group’s tactics were noted as resembling those used by Chinese-speaking threat actors targeting the United States, but the provided content does not attribute PayTool to a nation state. A related underground seller alias, “theghostorder01,” was reported as marketing phishing kits aligned with this ecosystem, including kits mimicking Ontario driver’s license renewal and advertising theft of Interac e-Transfer credentials, card data, and other personal information.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • consumer
IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
security online infoNews
Jan 28, 2026
The "PayTool" Trap: Massive Fraud Cluster Impersonates Canada Gov & Air Canada

Fraud/phishing ecosystem used to run high-fidelity impersonation campaigns (Government of Canada/provincial fine payment portals, Canada Post-style lures) primarily via smishing, with resilient domain rotation to sustain operations when domains are blocked.

Read more
cloudsek blogNews
Jan 27, 2026
Pivoting From PayTool: Tracking Various Frauds and E-Crime Targeting Canada | CloudSEK

Phishing/smishing ecosystem impersonating Canadian provincial/federal traffic ticket and fine-payment services (e.g., PayBC, ServiceOntario, 'Traffic Ticket Search Portal – Government of Canada') and expanding into adjacent brand-impersonation fraud (Canada Post parcel/redelivery and Air Canada booking). Uses fake validation steps followed by fraudulent payment pages to harvest PII and financial data (credit cards, Interac e-Transfer credentials). Maintains reusable templates, bulk-registered/keyword domains, and shared hosting to enable rapid rotation when domains are blocked.

Read more
flareio blogNews
Jan 9, 2026
New Threat Actor Group PayTool Targets Canadians with Traffic Scams

PayTool is conducting large-scale SMS phishing (smishing) campaigns targeting Canadians with traffic-related scams. They impersonate government agencies and private firms to steal personal and financial information, which is then used for fraudulent purchases and currency conversion.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.