Skip Navigation

April 1, 2025 |

XinXin group offers new ‘dreamy’ PhaaS platform

Loading table of contents...

Cybersecurity researchers have revealed a new, highly sophisticated phishing-as-a-service (PhaaS) platform, dubbed ‘Lucid’, that has targeted 169 organizations across 88 countries.

The potent new PhaaS sets itself apart by utilizing legitimate communication channels, specifically Apple iMessage and Android's Rich Communication Services (RCS), to send smishing messages. The use of legitimate channels allows it to bypass traditional SMS spam filters, thereby increasing the success rates of phishing campaigns.

To bypass iMessage's link-clicking restrictions, the threat actor uses tactics such as prompting recipients to reply with "Y" to establish two-way communication. Once established, the recipient can then click on the malicious link.

For RCS, threat actors continuously rotate sending domains and numbers to evade detection by pattern recognition systems.

In the case of iMessage, temporary Apple IDs with impersonated display names are created, while RCS exploitation takes advantage of sender verification inconsistencies among carriers.

ThreatRoundUp_SignUp_Simplifiedx2

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Lucid operates on a subscription-based model, enabling cybercriminals to conduct large-scale phishing operations aimed at collecting credit card information and personally identifiable information (PII).

The platform provides automation tools that simplify the creation of customizable phishing websites, which incorporate advanced anti-detection and evasion techniques such as IP blocking, user-agent filtering, and time-limited, single-use URLs. Additionally, Lucid offers real-time monitoring of victim interactions through a dedicated panel, allowing its clients to capture and verify submitted data, including credit card details.

The developers behind Lucid have been identified as the XinXin group, a Chinese-speaking hacking collective. This group has also created other PhaaS platforms, notably "Lighthouse" and "Darcula." These PhaaS platforms share similarities in templates, target selections, and methodologies, signifying a thriving underground economy where Chinese-speaking actors utilize platforms like Telegram to market their services on a subscription basis for financial gain.

Darcula, in particular, has been updated with capabilities to clone any brand's website, facilitating the creation of convincing phishing replicas. The developer known as LARVA-242 is a central figure in the XinXin group and plays a pivotal role in the development of these platforms.

Source: The Hacker News

Analysis

The recent revelation of the Lucid PhaaS platform is yet another reminder that the cybercriminal underground is thriving, offering increasingly sophisticated tools for fraudsters. This announcement comes just days after the discovery of Morphing Meerkat, another PhaaS service, highlighting how quickly these platforms are emerging and evolving.

The involvement of the XinXin group in developing multiple PhaaS platforms shows that these services are being built and marketed at a rapid pace. These platforms' ability to offer automation, real-time victim tracking, and anti-detection features make them an enticing option for even inexperienced cybercriminals.

With so many PhaaS offerings available, the cybersecurity community must continue to raise awareness and develop countermeasures, as these platforms show no sign of slowing down.

Mitigation

Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats to related to PhaaS platforms like Lucid. Field Effect MDR users are automatically notified phishing related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Fortunately, phishing is a well-known attack vector and can be mitigated by implementing a combination of administrative security controls, such as phishing awareness training, with technical security controls, such as automatic scanning and URL stripping. However, in most cases, the difference between being compromised or not comes down to the recipient of the phishing email and whether they have the awareness not to fall victim to it.

Field Effect users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.

Related Articles