HQ/EMEAFind out how we can help your business
A new threat has emerged in the cybercrime landscape, with a phishing-as-a-service platform called Lucid PhaaS targeting 169 organisations across 88 countries.
This sophisticated service uses smishing messages delivered through Apple iMessage and Android’s Rich Communication Services (RCS), enabling cybercriminals to bypass traditional SMS spam filters and increase their chances of deceiving victims.
Lucid PhaaS is operated by a Chinese-speaking hacking group known as XinXin, also referred to as Black Technology.
The group’s phishing campaigns primarily focus on targets in Europe, the United Kingdom, and the United States, aiming to steal credit card information and personally identifiable data. The developer behind Lucid, known by the alias LARVA-242, is a central figure in the XinXin group and has also contributed to similar platforms such as Lighthouse and Darcula. These platforms share common templates, tactics, and target lists, highlighting a growing underground economy of phishing services.
One of Lucid PhaaS’s most concerning features is its use of legitimate messaging platforms like iMessage and RCS, which are less likely to be flagged by spam detection tools.
The group leverages inconsistencies in carrier-level sender verification and creates temporary Apple IDs with fake display names to fool recipients. Additionally, the service deploys large-scale smishing campaigns through iPhone farms and Windows-based mobile emulators, sending thousands of malicious messages with deceptive links.
Victims are misled into clicking the malicious links, often believing they are interacting with legitimate services such as postal or courier companies, toll collection systems, or tax agencies. Lucid PhaaS supports the creation of fake websites that incorporate advanced anti-detection measures, including IP filtering, user-agent blocking, and single-use URLs that expire after a short time. The platform also offers real-time tracking of victim interactions through a panel built on the Webman PHP framework, allowing attackers to verify and extract submitted information.
The widespread use of Lucid PhaaS is further fuelled by Telegram, where such services are openly marketed and sold on a subscription basis. Stolen credit card data is monetised through resale while the developers continue to refine their tools.
Security experts have raised concerns over the growing complexity and effectiveness of phishing-as-a-service platforms like Lucid PhaaS, which are becoming increasingly difficult for traditional defences to detect.
As these services evolve, organisations and individuals alike must always be alert against the tactics of cybercriminals.
