A new sophisticated phishing-as-a-service (PhaaS) platform called Lucid has targeted 169 entities in 88 countries using smishing messages propagated via Apple iMessage and Rich Communication Services (RCS) for Android.
Lucid’s unique selling point lies in its weaponizing of legitimate communication platforms to sidestep traditional SMS-based detection mechanisms.
“Its scalable, subscription-based model enables cybercriminals to conduct large-scale phishing campaigns to harvest credit card details for financial fraud,” Swiss cybersecurity company PRODAFT said in a technical report shared with The Hacker News.
“Lucid leverages Apple iMessage and Android’s RCS technology, bypassing traditional SMS spam filters and significantly increasing delivery and success rates.”
Lucid is assessed to be the work of a Chinese-speaking hacking crew called the XinXin group (aka Black Technology), with the phishing campaigns mainly targeting Europe, the United Kingdom, and the United States with an intent to steal credit card data and personally identifiable information (PII).
The threat actors behind the service, more importantly, have developed other PhaaS platforms like Lighthouse and Darcula, the latter of which has been updated with capabilities to clone any brand’s website to create a phishing version. The developer of Lucid is a threat actor codenamed LARVA-242, who is also a key figure in the XinXin group.
All three PhaaS platforms share overlaps in templates, target pools, and tactics, alluding to a flourishing underground economy where Chinese-speaking actors are leveraging Telegram to advertise their warez on a subscription basis for profit-driven motives.
Phishing campaigns relying on these services have been found to impersonate postal services, courier companies, toll payment systems, and tax refund agencies, employing convincing phishing templates to deceive victims into providing sensitive information.
The large-scale activities are powered on the backend via iPhone device farms and mobile device emulators running on Windows systems to send hundreds of thousands of scam messages containing bogus links in a coordinated fashion. The phone numbers to be targeted are acquired through various methods such as data breaches and cybercrime forums.
“For iMessage’s link-clicking restrictions, they employ ‘please reply with Y’ techniques to establish two-way communication,” PRODAFT explained. “For Google’s RCS filtering, they constantly rotate sending domains/numbers to avoid pattern recognition.”
“For iMessage, this involves creating temporary Apple IDs with impersonated display names, while RCS exploitation leverages carrier implementation inconsistencies in sender verification.”
Besides offering automation tools that simplify the creation of customizable phishing websites, the pages themselves incorporate advanced anti-detection and evasion techniques like IP blocking, user-agent filtering, and time-limited single-use URLs.
Lucid also supports the ability to monitor victim activity and record every single interaction with the phishing links in real-time via a panel, allowing its customers to extract the entered information. Credit card details submitted by victims are subjected to additional verification steps. The panel is built using the open-source Webman PHP framework.
“The Lucid PhaaS panel has revealed a highly organized and interconnected ecosystem of phishing-as-a-service platforms operated by Chinese-speaking threat actors, primarily under the XinXin group,” the company said.
“The XinXin group develops and utilizes these tools and profits from selling stolen credit card information while actively monitoring and supporting the development of similar PhaaS services.”
It’s worth noting that the findings from PRODAFT mirror that of Palo Alto Networks Unit 42, which recently called out unspecified threat actors for utilizing the domain pattern “com-” to register over 10,000 domains for propagating various SMS phishing scams via Apple iMessage.
The development comes as Barracuda warned of a “massive spike” in PhaaS attacks in early 2025 using Tycoon 2FA, EvilProxy, and Sneaky 2FA, with each service accounting for 89%, 8%, and 3% of all the PhaaS incidents, respectively.
“Phishing emails are the gateway for many attacks, from credential theft to financial fraud, ransomware, and more,” Barracuda security researcher Deerendra Prasad said. “The platforms that power phishing-as-a-service are increasingly complex and evasive, making phishing attacks both harder for traditional security tools to detect and more powerful in terms of the damage they can do.”
