From a Fake 10086 SMS Scam to Carbanak’s C&C Server Targeting Russia – What You Need to Know

Phishing SMS impersonating China Mobile (10086)

On May 20, a victim in Foshan received an SMS that appeared to be from China Mobile (10086) claiming that mobile points were about to expire and could be exchanged for cash. The message contained a URL that led to a fake website prompting the installation of a mobile‑management app.

Victim clicked the link and was instructed to download and install the app.

After installation the app could not be uninstalled and automatically opened a phishing page that repeated the points‑exchange claim.

The page requested the victim’s phone number and personal information; the data were silently transmitted to the attacker’s backend.

Within minutes after sending a 5.20 CNY red‑packet to her husband, the attacker transferred the entire ¥10,000 balance from her bank account to an external account.

The same “10086 points‑exchange” narrative has been observed in multiple incidents, all originating from spoofed base‑station (伪基站) attacks. Users should verify the legitimacy of any SMS that asks to click a link or install software.

Carbanak C2 infrastructure pointing to Russian FSB IP

Trend Micro analysis discovered that the command‑and‑control (C2) domain systemsvc.net, used by the Carbanak banking‑trojan, now resolves to IP address 213.24.76.23. This IP belongs to ASN AS8342 (RTComm.RU) and is registered to the Russian Federal Security Service (FSB) in Moscow.

Carbanak, active since 2013, has compromised more than 100 financial institutions in over 30 countries and is estimated to have stolen roughly US$1 billion. The redirection of its C2 domain to an FSB‑owned address is unusual; Trend Micro analyst Maxim Goncharov suggested the domain owner might be attempting a prank, but the exact motive is unknown.

Kaspersky researchers, who first identified Carbanak, described the group’s operations as among the most complex globally, with members from Russia, Ukraine, China, and several European nations.

Technical indicators:

Domain: systemsvc.net Resolved IP: 213.24.76.23 ASN: AS8342 (RTComm.RU, Moscow, Russia)

These findings highlight the potential for state‑affiliated infrastructure to be used—intentionally or inadvertently—in criminal C2 networks.