Government services are increasingly relying on SMS as a channel to send notifications such as fines, toll reminders and payment alerts. It is fast, convenient, and the general public tends to trust a text from an official sender. This trust is what scammers are looking to take advantage of.
Group-IB researchers have been tracking a smishing campaign that is impersonating the identity of Putevi Srbije, Serbia’s state road authority. Victims get a text claiming they have an unpaid traffic fine. They click a link. They land on a fake government website that looks real enough to fool most people. They enter their card details. And then the money is gone.
While this blog tracks a localized campaign, the scheme is not a one-off. The infrastructure and methods point to two well-known Phishing-as-a-Service (PhaaS) platforms: Darcula and Phoenix. Both have been used to run similar campaigns against victims in dozens of countries. According to a previous Group-IB research titled ”The Rise of Fake Shipment Tracking Scams in MEA”, Darcula is a Chinese-language PhaaS platform that first appeared in 2023 and has since been tied to attacks on government bodies, airlines, postal services, and financial institutions worldwide. Phoenix, documented in separate Group-IB research titled “Phoenix Rising”, operates through a centralized administrative panel that lets operators manage multiple phishing campaigns across different countries and industries.
This blog explains how the scam scheme works, why it’s linked to these PhaaS kits, and what the indicators look like.
Group-IB customers can access our Threat Intelligence and Fraud Protection portals for more information about the scam scheme described in this blog:

The text message
The victims initially receive a text message saying that an unpaid traffic fine registered by the Serbian road authority is awaiting payment. The message also specifies that if the fine is not paid in the given timeframe, the price of the fine will increase. The link in the message looks legitimate and the urgent tone of the message influences the victims.
This kind of trick works because it plays on something of which people are naturally afraid : getting in trouble with official authorities. Such tricks do not need specific technical skills to be implemented, that is why the scheme is highly popular

Figure 1: Examples of phishing SMS informing of fake traffic fines (with English translation).

Figure 1: Examples of phishing SMS informing of fake traffic fines (with English translation).
The fraudulent link in the malicious sms redirects the victim to a cloned website. It has accurate logos, colors, and language. It looks like a legitimate government payment portal. The victim is asked to confirm their personal details and to pay the fine, i.e. entering their card number, expiry date, and CVV.
To make it look more legit, the page may show fake case reference numbers and various timestamps as if the violation was already on record in an official system. Some versions also include a deadline of payment, to avoid the fine increasing. All of this is designed to make the victim pay as fast as possible.

Figure 2: Example of the phishing website landing page impersonating Serbia’s state road authority.

Figure 2: Example of the phishing website landing page impersonating Serbia’s state road authority.

Figure 3: Example of the phishing page with fake case reference numbers and timestamps of the supposed violation to make the ruse more believable.

Figure 3: Example of the phishing page with fake case reference numbers and timestamps of the supposed violation to make the ruse more believable.

Figure 4: Fake payment portal designed to steal victim payment data.

Figure 4: Fake payment portal designed to steal victim payment data.
As soon as the victims submit their card details, the latter are sent straight to the attackers. From there, the data can be used immediately for fraudulent purchases, sold in underground markets, or saved for follow-up scams. Most victims only realize what happened when they see an unexpected charge in their bank account.
The technical setup behind this campaign is consistent with what Group-IB and other researchers have documented for Darcula. Darcula, a Chinese-language PhaaS platform containing more than 200 phishing templates, shares similar infrastructure characteristics as the one used in this campaign. The platform targets users from all over the world by impersonating government bodies, postal services, financial institutions, and more.
What we observed in this Serbian campaign fits the pattern: use of disposable domains that mimic a trusted authority, use of cloned websites that harvests card data, use of JavaScript to hide the scam from automated scanning tools, and fast infrastructure rotation to stay ahead of takedowns.
A subset of the domains in this campaign are also consistent with Phoenix, another PhaaS platform that Group-IB researchers uncovered while analyzing global smishing operations spanning APAC, LATAM, Europe, and MEA. Phoenix is built around a centralized administrative panel that allows operators to manage multiple phishing campaigns simultaneously across different countries and industries.
The phishing infrastructure analyzed in this blog relies on lightweight, disposable web components designed to evade automated detection while remaining fully functional for end users. One interesting observation, amongst others, is the use of client-side content obfuscation implemented through JavaScript across the landing pages. The visible page text is not embedded directly in the HTML but stored in encoded form and dynamically rendered on the browser at runtime. This approach makes it way more difficult to detect the phishing pages during static inspection due to the absence of critical scam-related keywords from the raw source code.
Below are some examples of the template pages observed to be part of this scam scheme that are used to avoid automated detection.

Figure 5: Some of the template pages available within the analyzed phishing infrastructure.

Figure 5: Some of the template pages available within the analyzed phishing infrastructure.
The obfuscation mechanism uses HTML elements and attributes to hide encoded content. This content is decoded only after the webpage has finished loading or when certain sections of the page come into view. Through these techniques of delaying execution and rendering content based on the user’s viewpoint, automated programs, security scanners or browsers without a user interface will unlikely be able to fully process and capture the content. This behavior indicates that the attackers are trying to avoid detection by signature-based systems and automated takedown mechanisms.
Additionally, the decoding logic is designed to operate continuously, monitoring for newly injected content and ensuring that dynamically loaded elements are rendered correctly for the victim. This shows that the infrastructure is optimized for scalability and reuse, allowing the same phishing framework to be rapidly deployed across multiple domains with minimal modification. Such obfuscation techniques significantly increase the resilience of the phishing infrastructure, and are consistent with modern fraud operations that prioritize speed, low cost, and evasion over complex backend systems.
The core decoder function
window.decodeObfuscatedContent = function(rootElement) {
const root = rootElement || document.body;
const elements = root.querySelectorAll('z-span[data-preload="true"],
z-strong[data-preload="true"]');
if (elements.length === 0) return;
This defines the main decoding function and makes it globally accessible. It scans the page for custom HTML elements (z-span and z-strong) that carry encoded text and are flagged.
Decoding each element
const decodedWord = decodeURIComponent(atob(dataAttr));
el.setAttribute('data-content', decodedWord);
el.removeAttribute('data-preload');
For each flagged element, the script extracts the encoded text stored in a data-data attribute, decodes it from Base64, and injects the readable text into the page.
Idle execution
const runWhenIdle = window.requestIdleCallback || function(cb) { setTimeout(cb, 1); };
runWhenIdle(() => { ... });
The decoding is scheduled to run during idle browser time rather than immediately. This avoids blocking the page from rendering and reduces the chance that automated scanners capture the decoded content during a timed page load.
Initial page load trigger
if (document.readyState === 'loading') {
document.addEventListener('DOMContentLoaded', function() {
window.decodeObfuscatedContent();
});
} else {
window.decodeObfuscatedContent();
}
Once the page finishes loading, the decoder runs once across the entire page to catch all elements present at load time.
Viewport-based decoding
const decodeObserver = new IntersectionObserver(
(entries, observer) => {
if (entry.isIntersecting) {
window.decodeObfuscatedContent(entry.target);
observer.unobserve(entry.target);
}
},
{ rootMargin: '200px 0px' }
);
This uses the browser’s IntersectionObserver API to decode content only when a section of the page is about to scroll into the user’s view.
Continuous monitoring for new content
setInterval(observeContainers, 2000);
Every two seconds, the script scans the page for any newly added encoded elements and registers them for decoding.
This scheme involves multiple stages and actions, which suggests a co-ordinated operation run by a team of fraudsters with dedicated roles to play, rather than a single individual:
The rise of scams like this one in Serbia shows how easily attackers can exploit public trust in government services. By mimicking official road authorities and using technical tricks to hide from security systems, fraudsters have built an effective machine for stealing payment details.
This campaign also shows something worth noting: it carries signs of both Darcula and Phoenix, two separate PhaaS platforms, working within the same operation. Defenders should not assume that one campaign means one platform. Fraudsters can now mix and match tools from different kits, showing just how accessible these platforms have become.
Whether you are an individual or part of an organization, staying alert, verifying sources directly, and questioning unexpected requests for payment remain your best defenses. Urgency and official looking messages are red flags, no matter which platform is behind them.
arrow_drop_down
Phishing-as-a-Service (PhaaS) is a scalable, subscription-based cybercrime model that lowers the technical barrier to entry for threat actors. By using a PhaaS, cybercriminals can rapidly deploy fraudulent campaigns and replicate proven attack workflows with minimal technical overhead.
It is a similar operating model to Ransomware-as-a-Service (RaaS), which you can read more about on the Group-IB Knowledge Hub.
arrow_drop_down
Indications that two separate PhaaS platforms–Darcula and Phoenix–were used in a single operation demonstrate that fraudsters are now able to mix and match tools from different vendors.
arrow_drop_down
Fraudsters behind this scheme primarily target Serbian road users through the impersonation of the Serbian road transport authority and sending fake traffic fine notifications through SMS phishing.
arrow_drop_down
Victims tricked into paying the fake fine through the phishing website have their banking card and payment data stolen. This data can be used to incur other fraudulent charges or sold on the dark web.

Darcula connected
putevs[.]cc
putevie-srbije[.]help
putevti-srbije[.]help
putevii-srbije[.]help
putevi-srbile[.]help
putevi-srbijezt[.]homes
puteva[.]cc
putevi-srbije[.]help
Phoenix connected
putevis-srbbije[.]top
putevisteetc[.]cc
putevi-srbije[.]icu
putevismetc[.]cc
putevi-srbijebc[.]homes
putevi-srbijeba[.]homes
putevi-srbijeah[.]homes
putevi-srbijeaf[.]help
putevissdeoetc[.]top
putevi-srbtrfije[.]com
putevi-srbbqfije[.]com
putevi-srbijeag[.]help
putevi-srbijeah[.]help
putevi-srbije.gbgwsq[.]homes
putevi-srbije.xkuckx[.]homes
putevis-srbiiossje[.]top
DISCLAIMER: All technical information, including malware analysis, indicators of compromise and infrastructure details provided in this publication, is shared solely for defensive cybersecurity and research purposes. Group-IB does not endorse or permit any unauthorized or offensive use of the information contained herein. The data and conclusions represent Group-IB’s analytical assessment based on available evidence and are intended to help organizations detect, prevent, and respond to cyber threats.
Group-IB expressly disclaims liability for any misuse of the information provided. Organizations and readers are encouraged to apply this intelligence responsibly and in compliance with all applicable laws and regulations.
This blog may reference legitimate third-party services such as Telegram and others, solely to illustrate cases where threat actors have abused or misused these platforms.
This material is provided for informational purposes, prepared by Group-IB as part of its own analytical investigation, and reflects recently identified threat activity.
All trademarks referenced herein are the property of their respective owners and are used solely for informational purposes, without any implication of affiliation or sponsorship.