SIMjacker is a zero-click SMS-based SIM exploitation technique/malware activity that abuses the S@T Browser, a hidden SIM card application in SIM cards implementing the SIM Alliance Toolkit. Publicly disclosed in 2019 by AdaptiveMobile Security and also linked in later reporting to ENEA, it works by sending a specially formatted binary SMS to the target device. The SMS is processed silently by the SIM rather than displayed to the user, invoking SIM-specific functionality. Reported payload behavior includes requesting local cell information, and public descriptions state the attack can obtain the victim’s location and IMEI and return the data to the attacker via reply SMS.
The content links a SIMjacker-style payload to a long-running espionage campaign affecting potentially thousands of devices. In Citizen Lab reporting, a threat actor designated STA2 used the technique on 2025-02-11 as part of a broader telecom surveillance operation that also involved SS7 probing and Diameter queries. In that case, the actor first sent an SS7 mt-ForwardSM carrying a specially formatted binary SMS designed to exploit the SIM via the S@T Browser, then followed with additional Diameter-based location-query activity. Citizen Lab assessed the payload would have attempted to turn the target device into a covert location beacon through the SIM card.
High-confidence technical details in the cited STA2 case include TP-PID 127 and TP-DCS 22 in the malicious SMS, consistent with a binary SIM toolkit message intended for silent SIM execution. The exfiltration SMS destination in that payload was configured as 423790105651, associated in the report with FL1 Liechtenstein, and the spoofed sender address was 250730091970, mapped to an Airtel Rwanda Global Title range. The activity was associated with commercial-surveillance-style operations targeting mobile subscribers, with Citizen Lab noting overlap between STA2 infrastructure patterns and identifiers associated with Fink Telecom Services. The broader reporting characterizes SIMjacker as a large-scale espionage technique targeting mobile devices through vulnerable SIM cards rather than the handset OS itself.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 distinct techniques documented for this family, organized by ATT&CK tactic.
The first STK command instructs the S@T browser to send a proactive command to the phone, requesting information about the network cell it is currently connected to, i.e., Cell Identifier, Location Area Code (LAC), Mobile Network Code (MNC), and Mobile Country Code (MCC).
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A zero-click SMS-based SIM toolkit exploit that abuses the S@T browser on SIM cards to execute hidden commands, retrieve device/location data, and exfiltrate it via silent SMS without user interaction.
SIM Toolkit (S@T browser) exploitation technique/attack that uses specially crafted OTA/binary SMS to trigger SIM-resident commands, enabling covert collection of device/location identifiers (e.g., cell-ID, IMEI) and exfiltration via SMS without user awareness.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.