A sophisticated new phishing platform named Lucid has emerged as a significant cybersecurity threat, targeting 169 entities across 88 countries globally.
Developed by Chinese-speaking threat actors, this Phishing-as-a-Service (PhAAS) platform operates through 129 active instances and over 1,000 registered domains.
The platform employs an automated attack delivery mechanism that deploys customizable phishing websites, primarily distributed through SMS-based lures that mimic legitimate organizations such as postal services, courier companies, and toll payment systems.
What sets Lucid apart from conventional phishing operations is its innovative use of Apple’s iMessage and Android’s Rich Communication Services (RCS) to circumvent traditional SMS spam filters.
Unlike standard SMS messages that telecommunication providers can blacklist, these internet-based technologies enable threat actors to execute attacks more rapidly and effectively.
By leveraging these protocols, Lucid significantly increases delivery success rates and effectively bypasses security measures that would typically identify and block malicious SMS messages.
Catalyst researchers noted that the platform incorporates advanced anti-detection and evasion techniques, such as IP blocking and user-agent filtering, to prolong the lifespan of its phishing sites.
The group behind Lucid (also known as Black Technology or XinXin) has been active since 2023, with its operations and infrastructure identified during ongoing investigations.
While initially operating locally, its impact has grown substantially, with a significant surge observed by early 2025.
The platform operates on a subscription-based model, enabling cybercriminals to conduct large-scale phishing campaigns with minimal effort.
These campaigns primarily focus on harvesting credit card details and personally identifiable information (PII) for financial fraud. Lucid’s scalable architecture allows it to rank among prominent PhAAS platforms alongside others like Darcula and Lighthouse.
Infection Mechanism
Lucid’s infection chain begins when targets receive seemingly legitimate messages through iMessage or RCS.
These messages typically reference unpaid toll fees, shipping costs, or tax declarations that require immediate attention.
When victims click on embedded links, they’re redirected to convincingly crafted phishing pages designed to harvest sensitive information.
What makes the platform particularly effective is its sophisticated backend system, which dynamically adjusts based on the victim’s profile.
The panel automatically generates domains and interfaces tailored to specific phishing templates, with customizations based on victims’ IP addresses for location-specific targeting.
.webp)
The platform implements measures to block connections from unintended IP addresses or when users attempt to access domains directly rather than through shortened URLs.
.webp)
Analysis of the attack infrastructure revealed that Lucid employs a JSON-based API for template configuration:-
{"status":1,"msg":"请求成功","page":1,"total":2,"data":[{"language":"en","domain":"["{phishingdomain}.top"]","entrypoint": "cb", "allowIp":"["GB"]", "disableRedict":"0", "paytitle":"","paytext":"","card-deny-msg1":"","card-deny-msg2":""}]}This code snippet demonstrates how the platform configures language settings, domain parameters, and regional targeting while maintaining flexibility for various phishing scenarios.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
