Tactics
Methods used by the actors targeting the case subject. Each entry names a pattern, defines it, traces where it appeared in the storm, and cross-references the underlying tradecraft on plausibledenial.org where applicable. Where techniques names what the case subject does, tactics names what is done against the case subject.
This is editorial scaffolding, not how-to material. The point is naming what is done — so the same pattern, when it appears under a different cover story, can be recognized again.
-
Attachment phishing
An unsolicited SMS containing an attached file (PDF, image, document) designed to deliver malware, harvest credentials, or compromise the recipient's device when opened. Distinct from hop seeding (no metadata edge needed) and from phantom account (no account is being maintained) — the payload is the point.
also known as bad attacher, smishing with payload, SMS-borne malware, PDF smishing
-
Hop seeding
The deliberate injection of a target's phone number into someone else's contact graph — typically via an unsolicited "wrong number" text designed to elicit any reply at all — for the purpose of pulling the target into a contact-chaining query.
also known as graph injection, metadata seeding, metadata fabrication, pretextual contact (umbrella)
-
Outbound impersonation
Someone other than the account holder sends messages out of the account holder's own communication channel — iMessage, email, social-media DM — making the recipient believe the account holder sent them. Distinct from phantom account (which uses the holder's number on a third-party service) — this is the holder's own account, used against the holder.
also known as account compromise (outbound), speaking-as, channel takeover, identity hijack, linked-device exploitation
-
Phantom account
An account opened on a third-party commercial service using a target's phone number as the contact identifier. The target receives verification codes, transactional SMS, and notifications, but does not own the account and cannot access it.
also known as phantom registration, ghost account, customer impersonation, number-as-identifier injection
-
Web property scanning
Automated and semi-automated reconnaissance against a target's web properties — typically triggered by Certificate Transparency log monitoring within minutes of a new domain's first TLS certificate — looking for exposed credentials, configuration files, secret tokens, and backup archives before the operator has finished hardening. Includes both Nuclei-class burst scans from bulletproof-hosting clusters and slower curated curl/LLM-assisted recon passes.
also known as fresh-deploy scanning, CT-log scraping, credential reconnaissance, Nuclei-class probing, secrets-wordlist sweep
