Error 524 Decoy Campaign Uses Brand Impersonation to Phish Mobile Users

Group-IB reports an active, large-scale smishing/phishing campaign (active since H2 2025) targeting mobile users across LATAM, Europe, APAC and North America by impersonating hundreds of brands. The operation uses SMS lures, spoofed numbers, shortened URLs and a layered anti-analysis architecture: Cloudflare “Error 524” decoy pages for non-targets, client-side geolocation/device checks to serve mobile-targeted phishing, a Base64 single-page app that decodes malicious logic at runtime, and encrypted WebSocket channels for real-time exfiltration of PII and payment card data; infrastructure leverages Cloudflare plus Tencent/Alibaba hosting and rapid domain rotation, enabling scale and takedown resistance.