Reverse engineering and flooding a Smishing Triad / Lighthouse phishing kit that impersonates the California DMV.
On March 20, 2026, a smishing (SMS phishing) message arrived impersonating the California DMV, demanding payment of a fake $6.99 traffic violation. The link pointed to ca.gov-axb.cfd — a phishing domain registered 22 hours earlier, hosted on Alibaba Cloud, operated by the Smishing Triad using the Lighthouse phishing-as-a-service (PhaaS) platform.
This repository documents the full forensic teardown and active disruption response:
- Analyzed the phishing kit — Vue.js 3 SPA with AES-128-CBC encrypted WebSocket communication
- Reverse-engineered the obfuscated JavaScript to extract the encryption key and IV
- Built a Rust flood tool that sends properly encrypted fake victim data at ~24 sessions/second
- Flooded the backend with 100,700+ fake victim sessions and 1.2 million encrypted events (0 errors)
.
├── README.md # You are here
├── the_hustle.md # Original smishing message (verbatim)
├── IOC_PACKAGE.md # Full indicators of compromise package
├── media/
│ ├── cover.gif # Article cover image
│ └── fuck_around_and_find_out.md # Full writeup / Dev.to article
├── kit_artifacts/
│ ├── index.html # Captured phishing page HTML
│ ├── static/
│ │ ├── CPD9iRZf.js # Main obfuscated kit JS (~263KB)
│ │ ├── BoN34n41.js # Secondary kit JS (~308KB)
│ │ └── DMjnyGAi.css # Kit stylesheet
│ ├── decode_path.js # String table extraction attempt
│ ├── decode_v2.js # VM-based deobfuscation attempt
│ ├── decode_v3.js # Full obfuscator block extraction
│ ├── ws_probe.js # WebSocket path probe script
│ └── capture_ws.js # Playwright WebSocket capture script
└── lighthouse_flood/
├── Cargo.toml
├── Cargo.lock
└── src/
├── main.rs # Flood engine (async WebSocket + AES-128-CBC)
└── fakegen.rs # Realistic California PII/CC generator
Pure Rust. Async Tokio runtime. Direct WebSocket connections with AES-128-CBC encryption matching the kit's exact protocol. Each session is indistinguishable from a real victim.
cd lighthouse_flood
cargo build --release# Quick test (5 sessions, verbose)
./target/release/lighthouse_flood -t https://ca.gov-axb.cfd -n 5 -c 3 -v
# Full flood (100 concurrent, infinite loop)
./target/release/lighthouse_flood -t https://ca.gov-axb.cfd -c 100 -n 0 -d 300 -s 20| Flag | Description | Default |
|---|---|---|
-t, --target |
Target phishing URL base | required |
-c, --concurrency |
Concurrent WebSocket sessions | 10 |
-n, --count |
Total submissions (0 = infinite) | 0 |
-d, --step-delay-ms |
Delay between steps in a session | 800 |
-s, --spawn-delay-ms |
Delay between spawning sessions | 100 |
-v, --verbose |
Show each fake identity and server messages | false |
| Finding | Detail |
|---|---|
| Threat Actor | Smishing Triad / Lighthouse PhaaS (China-based) |
| Kit Stack | Vue.js 3 + Vite + Socket.IO (Engine.IO v4) |
| Encryption | AES-128-CBC, UTF-8 key/IV, PKCS7 padding |
| Socket.IO Path | /console/ (non-standard) |
| Kit Fingerprint | changleField typo in all event names |
| Anti-Analysis | Mobile UA gating, JS string obfuscation, anti-debug |
| Infrastructure | Alibaba Cloud, Chinese DNS, wildcard DNS for multi-state targeting |
| Domain Age | 22 hours from registration to active phishing |
Google filed a federal lawsuit against the Lighthouse platform operator (Wang Duo Yu) in November 2025. The FBI IC3 received 2,000+ complaints about this campaign in a single month. The Smishing Triad operates across 194,000+ domains targeting 316+ brands in 74 countries.
This repository is published for threat intelligence, security research, and educational purposes.
MIT