A phishing-as-a-service (PhaaS) platform named ‘Lucid’ has been targeting 169 entities in 88 countries using well-crafted messages sent on iMessage (iOS) and RCS (Android).

Lucid, which has been operated by Chinese cybercriminals known as the ‘XinXin group’ since mid-2023, is sold to other threat actors via a subscription-based model that gives them access to over 1,000 phishing domains, tailored auto-generated phishing sites, and pro-grade spamming tools.

Prodaft researchers note that XinXin has also been using the Darcula v3 platform for its operations, which indicates a potential connection between the two PhaaS platforms.