--- title: "The Infamous Smishing Campaign Roaming Mantis Hits Users in France | Phish Protection" description: "The Infamous Smishing Campaign Roaming Mantis Hits Users in France: After hitting South Korea, Japan, Taiwan, Germany, the US, and the UK, the Roaming Mantis." image: "https://phishprotection.com/og/blog/infamous-smishing-campaign-roaming-mantis-hits-users-france.png" canonical: "https://phishprotection.com/blog/infamous-smishing-campaign-roaming-mantis-hits-users-france/" --- Quick Answer After hitting South Korea, Japan, Taiwan, Germany, the US, and the UK, the Roaming Mantis campaign recently moved to target\*\* iOS and Android users\*\* in France and likely compromised numerous devices. Here is a look at the Roaming Mantis malware and how such \[smishing\](/phishing/smishing-organizations-need-to-keep-safe-from-phishing-scam) campaigns affect individuals and organizations. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Finfamous-smishing-campaign-roaming-mantis-hits-users-france%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=The%20Infamous%20Smishing%20Campaign%20Roaming%20Mantis%20Hits%20Users%20in%20France&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Finfamous-smishing-campaign-roaming-mantis-hits-users-france%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Finfamous-smishing-campaign-roaming-mantis-hits-users-france%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Finfamous-smishing-campaign-roaming-mantis-hits-users-france%2F&title=The%20Infamous%20Smishing%20Campaign%20Roaming%20Mantis%20Hits%20Users%20in%20France "Share on Reddit") [ ](mailto:?subject=The%20Infamous%20Smishing%20Campaign%20Roaming%20Mantis%20Hits%20Users%20in%20France&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Finfamous-smishing-campaign-roaming-mantis-hits-users-france%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2022/08/what-is-phishing-7679.jpg) After hitting South Korea, Japan, Taiwan, Germany, the US, and the UK, the Roaming Mantis campaign recently moved to target\*\* iOS and Android users\*\* in France and likely compromised numerous devices. Here is a look at the Roaming Mantis malware and how such [smishing](/phishing/smishing-organizations-need-to-keep-safe-from-phishing-scam) campaigns affect individuals and organizations. In March 2018, the Japanese media reported hackers targeting the **DNS settings** of routers located in Japan. The Roaming Mantis got introduced when the hijackers redirected the victims to **malicious IP** addresses, leading them to install applications infected with trojans. These applications contained an [Android banking trojan](https://thehackernews.com/2023/03/xenomorph-android-banking-trojan.html), and what started as a banking trojan evolved quickly into a more dangerous malware. Roaming Mantis appears to be a **financially-motivated** threat actor which targeted many European users in February. ### Tactics & Techniques The Roaming Mantis malware sends an SMS message to the victim and infects their device. The language inside the **text message** tricks the user into thinking that they have received a shipped package confirmation. Then, they are[asked to open](https://www.bleepingcomputer.com/news/security/roaming-mantis-hits-android-and-ios-users-in-malware-phishing-attacks/)a URL that redirects them to a malicious page designed to steal the victim’s credentials. For iOS users, the [malware](/content/protection-against-malware/types-of-malware) doesn’t download an application. Instead, the **phishing website** displays a malicious page asking the user to log in to the App Store. The hackers’ address **seems like** a genuine Apple website and reassures the victim everything is well. ![What is phishing](https://media.mailhop.org/phishprotection/images/2022/08/what-is-phishing-7679.jpg) ### Specifically Targeting Users in France The [cybersecurity](/content/cybersecurity-in-a-nutshell) firm SEKOIA published a report in which the researchers mentioned that the hackers of the Roaming Mantis group are pushing the **XLoader (MoqHao) payload** on Android devices. _The loader (MoqHao) payload is a powerful malware with features like information stealing, remote access, and SMS spamming._ The Roaming Mantis campaign currently targets **French users** and begins with an SMS that the victims receive, urging them to click on a URL. If the victim is located in France, using an iOS device, they get redirected to a **malicious page** that steals their [Apple credentials](https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/iphone-theft-leads-to-stolen-apple-credentials-through-phishing-attack). The Android users get pointed to a website that pushes the installation file for a mobile app into the victim’s mobile (an Android Package Kit, APK). The APK installs and looks like a **Chrome installation** through which the hackers ask for permissions like making phone calls, handling system alerts, getting accounts lists, reading and writing storage, SMS interception, and more. The C2 (command and control) configuration gets retrieved from the hardcoded Imgur profile destinations that [hackers](/phishing/hackers-now-going-after-software-tools-which-help-workers-collaborate) encode in base64 to **evade detection**. For users outside France, the Roaming Mantis’ servers throw a **404 error**, stopping the attack. ### Infrastructure Details SEKOIA’s analysts report that the infrastructure hasn’t changed much since team Cymru’s last April analysis of the [Roaming Mantis](https://www.hackread.com/roaming-mantis-malware-dns-changer/). The servers have open ports at TCP/47001, TCP/10081, TCP/5985, and TCP/443, while the **same certificates** from April are currently in use. The threat actors use **Domains** in the SMS text messages that are[either](https://www.avertium.com/resources/threat-reports/roaming-mantis-evolving-phishing-campaign)Godaddy registered or **dynamic DNS services** like duckdns.org, adds the report. The intrusion set utilizes over a hundred subdomains, and many FQDNs resolve each IP address. Interestingly, the Roaming Mantis SMS phishing (smishing) operation relies on separate\*\* C2 servers\*\* than those used by the loader. The analysts identified nine of those hosted on VELIANET and EHOSTIDC Autonomous Systems. ### What is in it for the Adversaries? SEQUOIA analysts confirmed that about 90,000 unique IP addresses requested XLoader from the main [C2 server](https://www.feroot.com/education-center/what-is-a-command-and-control-c2-server/#:~:text=A%20command%2Dand%2Dcontrol%20%28C2%29%20server%20is%20a,%2C%20malicious%20scripts%2C%20and%20more.), signaling that the victim count might be significant. The iOS user numbers who might have entered their Apple iCloud credentials on the **malicious** Roaming Mantis webpage are unknown and could be the same or higher. Threat actors that carry out such smishing campaigns are similar to other [cybercriminals](https://thehackernews.com/2023/04/cybercriminals-turn-to-android-loaders.html) and want to **steal** the victims’ PII (Personally Identifiable Information). Suppose an adversary, for example, does a good job and impersonates a **financial institution’s website**. In that case, they can lure you into providing your login credentials and use them to pretend to be you. Hackers can either take several small amounts over a long period or large sums of money in a single attack. If they **target several people** like this, they can earn a sizable income. Besides, the attacker need not log in to a financial institution and make a profit from your [personal information](https://www.wionews.com/entertainment/bts-star-rms-personal-information-leaked-by-korea-railroad-employee-big-hit-to-take-strict-action-567703). Most people **reuse** their passwords and usernames for several accounts. For example, they can keep their email address as the username, and although they might hold a robust password that is difficult to guess, they can use the same one repeatedly. Therefore, a threat actor merely needs **one of your passwords** to access several websites and services you may be logged in to if you are not [cyber-hygienic](https://www.redseal.net/cyber-hygiene/). ### Defending Against Smishing Smishing impacts both organizations and individuals. Below, we discuss tips to **strengthen defenses** from the business and individual perspective: ![Phishing email prevention](https://media.mailhop.org/phishprotection/images/2022/08/phishing-email-prevention-7680.jpg) ### Defenses for Individuals A useful thumb rule is to **avoid clicking** on any text message links. Enable two-factor or [multi-factor authentication](https://www.onelogin.com/learn/what-is-mfa) methods for most crucial accounts, like email, banking, eCommerce platforms, and online bank applications. - \_ Call your retailer, bank, or relevant government services directly to **verify the authenticity** of any SMS text messages about account lockouts, transactions, suspicious activity, and appointments. Avoid saving [sensitive information](/cybersecurity/sensitive-information-at-risk-as-a-security-breach-hits-us-marshals-service) on your mobile, like your credit card number or account passwords, because malware can allow **device takeover**, giving cybercriminals free ground to find and use this information easily. ### Defenses for Businesses Measure the amount of **smishing awareness** among employees by carrying out surveys and include smishing material in regular training materials. It will reduce the susceptibility to falling for these fraudulent text messages by compensating for any knowledge gaps. Use the [least privilege access principle](https://www.paloaltonetworks.com/cyberpedia/what-is-the-principle-of-least-privilege#:~:text=The%20principle%20of%20least%20privilege%20%28PoLP%29%20is%20an%20information%20security,to%20complete%20a%20required%20task.) to ensure that even if the attacker compromises an employee’s account, your attack surface gets minimized because you have restricted the **access levels** to only what’s necessary for the employee’s job functions and duties. Use phishing training and [simulation](/products/phishing-simulation) exercises to give employees valuable opportunities to improve their **detection ability** for various social engineering techniques that are common across multiple attack types. Organizations with a **BYOD policy** allowing their employees to connect their mobile devices to the corporate network and apps can update their policy to include guidance and tips for the employees to **ensure** they don’t fall victim to smishing campaigns. ### Final Words A relatively new form of [cyberattack](https://www.wsj.com/articles/a-cyberattack-forced-a-logistics-company-to-temporarily-halt-operations-dde27a19), the Roman Mantis has taken the smishing campaigns to **new levels**. After targeting European users in February, the malware is now targeting French users. Such smishing campaigns present new challenges for individuals and businesses. Thus, it is imperative to ensure that the workforce, even those not dealing with confidential information assets, are **adequately trained** and follow robust cyber hygiene to ensure adequate [protection from phishing](/) against such cyber threats. ## Topics [ Cybersecurity ](/tags/cybersecurity/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Intermediate 3m 13,000 Singapore-based students affected as a threat actor hacked into their devices! Aug 16, 2024 ](/blog/13000-singapore-based-students-affected-as-a-threat-actor-hacked-into-their-devices/)[ Intermediate 3m The 2024 Multi-Nation Elections Need to Steer Clear of Highly Potent Cyber Menaces May 9, 2024 ](/blog/2024-multi-nation-elections-cyber-threats-stay-vigilant/)[ Intermediate 6m 7 Commonly Overlooked But Crucial Security Threats That You Might be Ignoring Feb 6, 2023 ](/blog/7-commonly-overlooked-but-crucial-security-threats-that-you-might-be-ignoring/)[ Intermediate 17m 9+ Cybersecurity Software Solutions For Businesses To Use May 30, 2022 ](/blog/9-cybersecurity-software-solutions-businesses/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"The Infamous Smishing Campaign Roaming Mantis Hits Users in France","description":"The Infamous Smishing Campaign Roaming Mantis Hits Users in France: After hitting South Korea, Japan, Taiwan, Germany, the US, and the UK, the Roaming Mantis.","url":"https://phishprotection.com/blog/infamous-smishing-campaign-roaming-mantis-hits-users-france/","datePublished":"2022-08-05T04:08:24.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2022-08-05T04:08:24.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/infamous-smishing-campaign-roaming-mantis-hits-users-france/"},"articleSection":"intermediate","keywords":"Cybersecurity","wordCount":1149,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2022/08/what-is-phishing-7679.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"The Infamous Smishing Campaign Roaming Mantis Hits Users in France","item":"https://phishprotection.com/blog/infamous-smishing-campaign-roaming-mantis-hits-users-france/"}]} ```