A sophisticated phishing-as-a-service (PhaaS) platform known as Lucid has been linked to a widespread campaign targeting mobile users across 169 organizations in 88 countries. The operation leverages iMessage (iOS) and Rich Communication Services (RCS) on Android to bypass traditional spam filters, delivering highly convincing phishing messages impersonating logistics and financial services such as USPS, DHL, and Revolut1.
Operational Tactics and Infrastructure
The Lucid platform, operated by the Chinese group XinXin since mid-2023, employs a multi-faceted approach to evade detection. Researchers note the use of over 1,000 phishing domains, automated site generation, and spamming tools distributed via Telegram channels with 2,000 members1. The platform’s abuse of iMessage and RCS protocols is particularly concerning due to their end-to-end encryption, which prevents carriers from inspecting message contents for malicious links2.
To maintain operational security, Lucid operators utilize device farms with physical smartphones in motion (e.g., inside vehicles) to avoid geofencing detection. Temporary Apple IDs are generated for iMessage spoofing, while RCS implementation flaws in Android enable sender address manipulation3. The platform also incorporates geo-targeting, tailoring messages to victims’ locations and languages for higher success rates.
Technical Capabilities and Fraud Automation
Lucid’s phishing kits include several advanced features that streamline large-scale attacks:
- Auto-generated brand-specific landing pages mimicking legitimate services like Amazon and HSBC
- Built-in credit card validation to test stolen payment details
- Integration with device farms to rotate sending infrastructure
According to FBI warnings issued in March 2025, the platform’s infrastructure has been linked to numerous successful credential harvesting campaigns4. The bureau advises users to delete suspicious texts without interacting with embedded links and to verify any alerts through official applications or websites.
Mitigation Strategies
For organizations defending against Lucid-related campaigns, several defensive measures are recommended:
| Attack Vector | Mitigation Approach |
|---|---|
| iMessage Abuse | Enable advanced fraud protection in Apple Business Manager for enterprise devices |
| RCS Spoofing | Deploy carrier-grade RCS filtering solutions with anomaly detection |
| Phishing Sites | Implement DNS filtering services with real-time threat intelligence feeds |
Security teams should monitor for connections to known Lucid infrastructure and educate users about the platform’s common tactics. The FBI recommends reporting any suspected Lucid phishing attempts to the Internet Crime Complaint Center (IC3)4.
Broader Threat Landscape Connections
Researchers have identified potential links between Lucid and other PhaaS operations like Darcula v3, suggesting a growing ecosystem of specialized phishing tools originating from Chinese cybercrime groups5. The platform’s modular design and subscription model (with weekly license distribution) indicate professionalization of smishing operations, mirroring trends observed in ransomware-as-a-service models.
As mobile messaging continues to replace traditional email for business communication, platforms like Lucid represent a significant escalation in phishing threats. Their ability to bypass conventional security controls through protocol abuse requires updated defensive strategies focused on behavioral analysis rather than signature-based detection.
References
- “Phishing platform ‘Lucid’ behind wave of iOS, Android SMS attacks.” BleepingComputer, 31 Mar. 2025.
- “New ‘Lucid’ Phishing Platform Abuses iMessage, Android RCS.” eSecurityPlanet, 28 Mar. 2025.
- “‘Lucid’ Phishing Tool Exploits Faults in iMessage, RCS.” Dark Reading, 26 Mar. 2025.
- “FBI Warning As iPhone, Android Users ‘Bombarded’ By Chinese Attack.” Forbes, 22 Mar. 2025.
- “New Lucid PhAAS Platform Leveraging RCS & iMessage.” CybersecurityNews, 28 Mar. 2025.
