As part of its Cyber Threat Intelligence (CTI) operations, OWN conducts external attack surface monitoring to identify, among other threats, fraud attempts, typosquatting activity, and malicious campaigns targeting its clients.
In this context, OWN has observed since late 2025 highly active campaigns in France targeting major organizations. These campaigns rely on phishing kits actively shared across underground channels and distributed through smishing campaigns (SMS-based phishing).
This analysis illustrates a persistent threat landscape reality: despite its long history, smishing remains a particularly effective technique and is still widely exploited by cybercriminals.
This report focuses on a phishing kit identified as "ZephyrScama", a name derived from artefacts found within the associated administration panels. ZephyrScama appears to be a mature and actively maintained Phishing-as-a-Service (PhaaS) platform specifically engineered to primarily target French-speaking victims
The kit primarily impersonates high-trust French institutions and consumer services, including national health insurance such as Ameli, postal and delivery services such as La Poste, Mondial Relay and Colissimo, streaming platforms such as Netflix, Disney+, as well as energy providers such as EDF.
