Panda Shop
Panda Shop is a smishing toolkit associated in reporting with China-based cybercriminal activity and described as operating in a crime-as-a-service ecosystem. It has been reported as a new smishing kit that mimics the tactics and kit model of the China-linked Smishing Triad, while adding improved features and new templates. Multiple actors were reported using the kit.
Reported delivery channels include Apple iMessage and Google RCS, with additional use of SMS gateways and specialized operator-grade messaging equipment. One report specifically states the operation used compromised Apple iCloud accounts to send malicious links to counterfeit websites. Panda Shop has been described as impersonating postal and delivery services including India Post, USPS, and Royal Mail, and also using Google Wallet and Apple Pay themed lures.
Its objective is credential, payment, and personal-data theft. Reported capabilities include harvesting traditional credit card data and personally identifiable information, stealing personal and financial information via counterfeit phishing sites, and intercepting transactions. The activity has also been linked in reporting to downstream fraud including carding, NFC-enabled fraud, and money-laundering chains. Reporting characterizes the targeting as global and consumer-focused at large scale.
The kit was reportedly distributed through Telegram channels. Resecurity stated it identified vulnerabilities in the Panda Shop kit that enabled access to data associated with more than 108,000 victims. Reporting also cites threat-actor chatter claiming a single actor could send up to 2,000,000 smishing messages per day, though that figure is an unverified claim from the cited reporting rather than a confirmed operational metric.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Resecurity found a new smishing kit called ‘Panda Shop,’ mimicking Smishing Triad tactics with improved features and new templates."
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
By leveraging compromised Apple and Gmail accounts, the group bypasses SMS carrier detection and enhances delivery via encrypted messaging services.
Unlike traditional SMS phishing, which depends on mobile carriers, these actors exploit internet-based messaging systems... By leveraging compromised Apple and Gmail accounts, the group bypasses SMS carrier detection and enhances delivery via encrypted messaging services.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Smishing/phishing toolkit used to send fraudulent iMessage lures (via compromised iCloud accounts) impersonating postal/delivery services and directing victims to counterfeit sites to steal personal and financial data; distributed via Telegram channels.
A Crime-as-a-Service smishing kit used at massive scale to deliver smishing via Google RCS, Apple iMessage, and SMS gateways; includes templates targeting Google Wallet and Apple Pay to harvest credit card data and PII and to intercept transactions for fraud.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.