A new and sophisticated phishing platform named Lucid has surfaced, posing a significant cybersecurity threat by targeting 169 entities across 88 countries worldwide. Developed by Chinese-speaking threat actors, Lucid operates as a Phishing-as-a-Service (PhAAS) platform, utilizing 129 active instances and over 1,000 registered domains to facilitate its operations.
Innovative Attack Delivery Mechanism
Lucid distinguishes itself from traditional phishing operations through its automated attack delivery system, which deploys customizable phishing websites. These sites are primarily disseminated via SMS-based lures that impersonate legitimate organizations such as postal services, courier companies, and toll payment systems. However, what sets Lucid apart is its strategic use of Apple’s iMessage and Android’s Rich Communication Services (RCS) to bypass conventional SMS spam filters.
Unlike standard SMS messages that telecommunications providers can easily blacklist, iMessage and RCS are internet-based messaging protocols that allow threat actors to execute attacks more swiftly and effectively. By leveraging these technologies, Lucid significantly enhances the success rate of its phishing campaigns and circumvents security measures designed to detect and block malicious SMS messages.
Advanced Evasion Techniques
Researchers have observed that Lucid incorporates sophisticated anti-detection and evasion strategies to extend the longevity of its phishing sites. These techniques include IP blocking and user-agent filtering, which help the platform evade detection by security systems and prolong the operational lifespan of its malicious domains.
The group behind Lucid, also known as Black Technology or XinXin, has been active since 2023. Initially operating on a local scale, their activities have expanded significantly, with a notable surge in operations observed by early 2025.
Subscription-Based Model and Scalability
Lucid operates on a subscription-based model, enabling cybercriminals to conduct large-scale phishing campaigns with minimal effort. These campaigns primarily aim to harvest credit card details and personally identifiable information (PII) for financial fraud. The platform’s scalable architecture positions it among prominent PhAAS platforms, alongside others like Darcula and Lighthouse.
Infection Mechanism
The infection chain employed by Lucid begins when targets receive seemingly legitimate messages through iMessage or RCS. These messages often reference unpaid toll fees, shipping costs, or tax declarations that require immediate attention. Upon clicking the embedded links, victims are redirected to convincingly crafted phishing pages designed to harvest sensitive information.
Lucid’s backend system is particularly effective due to its dynamic adjustment based on the victim’s profile. The platform automatically generates domains and interfaces tailored to specific phishing templates, customizing them based on the victim’s IP address for location-specific targeting.
To further evade detection, Lucid implements measures to block connections from unintended IP addresses or when users attempt to access domains directly rather than through shortened URLs. Analysis of the attack infrastructure reveals that Lucid employs a JSON-based API for template configuration, allowing for flexible language settings, domain parameters, and regional targeting.
Comparative Analysis with Other PhAAS Platforms
Lucid’s emergence highlights a growing trend in the cybercriminal landscape: the development of sophisticated PhAAS platforms that lower the barrier to entry for conducting phishing attacks. Similar platforms, such as Darcula, have also been observed leveraging modern technologies and messaging protocols to enhance the effectiveness of their campaigns.
Darcula, for instance, utilizes over 20,000 domains to spoof brands and steal credentials from users in more than 100 countries. It employs technologies like JavaScript, React, Docker, and Harbor, enabling continuous updates and new feature additions without clients needing to reinstall phishing kits. Notably, Darcula also uses RCS and iMessage to send phishing messages, thereby bypassing traditional SMS-based detection mechanisms.
The use of iMessage and RCS in phishing campaigns presents unique challenges for detection and prevention. These protocols support end-to-end encryption, making it difficult to intercept and block phishing messages based on their content. Additionally, they are perceived as more secure by users, increasing the likelihood of successful attacks.
Implications for Cybersecurity
The advent of platforms like Lucid and Darcula signifies a shift in phishing tactics, with cybercriminals adopting more sophisticated methods to evade detection and increase the success rate of their campaigns. The use of PhAAS platforms lowers the technical barrier for conducting phishing attacks, enabling a broader range of threat actors to engage in such activities.
For organizations and individuals, this underscores the importance of adopting comprehensive cybersecurity measures. Traditional defenses may not be sufficient to counter these advanced phishing tactics. Therefore, it is crucial to implement multi-layered security strategies, including user education, advanced threat detection systems, and regular security assessments.
Recommendations for Mitigation
To mitigate the risks posed by sophisticated PhAAS platforms like Lucid, consider the following measures:
1. User Education and Awareness: Educate users about the risks associated with phishing attacks, especially those delivered through iMessage and RCS. Encourage skepticism towards unsolicited messages requesting sensitive information.
2. Advanced Threat Detection Systems: Deploy security solutions capable of detecting and blocking phishing attempts across various communication channels, including iMessage and RCS.
3. Regular Security Assessments: Conduct periodic security assessments to identify and address vulnerabilities that could be exploited by phishing attacks.
4. Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security, making it more difficult for attackers to gain unauthorized access even if credentials are compromised.
5. Incident Response Planning: Develop and maintain an incident response plan to quickly and effectively address phishing incidents when they occur.
By adopting these measures, organizations can enhance their resilience against the evolving threat landscape posed by sophisticated phishing platforms like Lucid.
