A phishing-as-a-service (PhaaS) platform named Lucid has emerged as a formidable threat, targeting 169 entities across 88 countries with precision-crafted messages delivered via iMessage (iOS) and RCS (Android). Operated by the Chinese cybercriminal group XinXin since mid-2023, Lucid empowers threat actors with a subscription-based toolkit, boasting over 1,000 phishing domains, tailored auto-generated phishing sites, and professional-grade spamming capabilities. For cybersecurity professionals, understanding this platform’s mechanics is critical to mounting an effective defense. This blog dives into the technical underpinnings of Lucid Phishing-as-a-Service, its operational model, and actionable strategies to protect your organization.
What Is Lucid Phishing-as-a-Service?
Lucid Phishing-as-a-Service is a sophisticated cybercrime platform designed to streamline large-scale phishing campaigns. Developed by the XinXin group—also known as “Black Technology”—Lucid exploits the trust users place in encrypted messaging protocols like iMessage and RCS. Unlike traditional SMS-based phishing, these channels evade conventional filtering due to their end-to-end encryption, making Lucid’s campaigns particularly insidious.
Since mid-2023, XinXin has marketed Lucid to other cybercriminals, offering access to a robust ecosystem of phishing tools. With targets spanning 88 countries and 169 organizations—including postal services, financial institutions, and retailers—Lucid demonstrates a global reach that demands attention from domain cybersecurity experts.
How Lucid Operates: Tactics and Tools
Lucid Phishing-as-a-Service leverages a blend of automation and evasion techniques to maximize its impact. Here’s how it works:
Subscription Model and Telegram Distribution
Lucid operates on a subscription-based model, sold via a dedicated Telegram channel with over 2,000 members. Customers purchase weekly licenses, gaining access to a suite of tools that include:
- Over 1,000 registered phishing domains.
- Auto-generated phishing sites tailored to mimic legitimate brands.
- Spamming tools capable of delivering messages at scale.
This as-a-service approach lowers the technical barrier for entry, enabling even novice attackers to launch sophisticated campaigns. The Telegram channel serves as both a marketplace and a support hub, fostering a community of threat actors.
Connection to Darcula v3
Research from Prodaft highlights a potential link between Lucid and Darcula v3, another PhaaS platform operated by XinXin. Darcula v3, known for its advanced phishing templates and anti-detection measures, shares operational similarities with Lucid, such as the use of RCS and iMessage. This overlap suggests XinXin maintains a portfolio of interconnected platforms, amplifying their collective threat. For more on Darcula’s evolution, see our threat detection guide (/threat-detection-guide).
Technical Breakdown of Lucid Phishing-as-a-Service
Lucid’s technical sophistication sets it apart from traditional phishing kits. Key features include:
- Messaging Protocol Exploitation: By using iMessage and RCS, Lucid bypasses SMS firewalls. These protocols’ encryption prevents telecom providers from scanning message content, allowing phishing links to reach victims undetected.
- Domain Automation: Lucid auto-generates phishing domains, often mimicking legitimate brands (e.g., postal services like USPS or Royal Mail). Prodaft reports over 1,000 active domains tied to the platform, with single-use URLs that expire to evade tracking.
- Geo- and Device-Targeting: Attackers can restrict campaigns to specific regions or device types (e.g., iPhones in the UK), enhancing credibility and conversion rates.
- Real-Time Analytics: Built-in tracking dashboards provide threat actors with victim interaction data, optimizing campaign success.
A sample JSON configuration uncovered by researchers illustrates Lucid’s flexibility:
json
{
"status": 1,
"msg": "Request successful",
"data": {
"language": "en",
"domain": "phishingdomain.top",
"entrypoint": "cb",
"allowIp": "GB",
"disableRedict": "0"
}
}
This snippet shows how Lucid configures phishing sites with regional targeting (e.g., “GB” for Great Britain) and dynamic domain generation.
For a deeper dive into domain spoofing techniques, check out this external resource.
Defending Against Lucid: Cybersecurity Strategies
Protecting against Lucid Phishing-as-a-Service requires a multi-layered approach tailored to its unique tactics. Here are actionable steps for cybersecurity professionals:
- Enhance Endpoint Security: Deploy mobile device management (MDM) solutions to monitor and block suspicious messaging activity on iOS and Android devices. Harden servers hosting critical services with techniques from our server hardening tips (/server-hardening-tips).
- Educate Users: Train employees to recognize phishing lures, especially those urging immediate action (e.g., “Pay toll fees now”). Highlight the risks of replying to unsolicited iMessages or RCS prompts.
- Monitor Domains: Use threat intelligence feeds to track and block Lucid’s auto-generated domains. Tools like Netcraft’s phishing detection can identify patterns in domain registration.
- Leverage Network Filtering: While iMessage and RCS encryption limits content scanning, implement URL filtering at the network level to catch known phishing domains before they reach users.
- Analyze Telemetry: Regularly review logs for anomalies in messaging traffic, such as spikes from unrecognized sources, to detect early signs of a Lucid campaign.
The Broader Threat Landscape
Lucid Phishing-as-a-Service is part of a growing trend in the cybercrime economy, where PhaaS platforms like Darcula and Lighthouse—also tied to XinXin—proliferate. The subscription model, combined with advanced evasion tactics, amplifies the scale and success of phishing attacks. Prodaft notes Lucid’s 5% success rate—far exceeding the typical 2% for phishing—underscoring its potency.
As Chinese-speaking threat actors refine their tools, cybersecurity professionals must adapt. The overlap with Darcula v3 suggests XinXin is building a modular ecosystem, potentially integrating features across platforms to stay ahead of defenses. Staying informed via resources like Prodaft’s threat intelligence reports is essential for tracking this evolution.
Lucid Phishing-as-a-Service represents a critical escalation in the phishing threat landscape. Its use of iMessage and RCS, paired with a scalable subscription model, challenges traditional defenses and demands proactive measures from cybersecurity teams. By understanding its tactics and deploying targeted countermeasures, you can safeguard your organization against this pervasive threat.