Lucid is a sophisticated Phishing-as-a-Service (PhaaS) platform operated by Chinese-speaking threat actors, targeting 169 entities across 88 countries globally. With 129 active instances and 1000+ registered domains, Lucid ranks among prominent PhaaS platforms, alongside Darcula and Lighthouse.
Its scalable, subscription-based model enables cybercriminals to conduct large-scale phishing campaigns to harvest credit card details for financial fraud. The platform employs an automated attack delivery mechanism, deploying customizable phishing websites distributed primarily through SMS-based lures. To enhance effectiveness, Lucid leverages Apple iMessage and Android’s RCS technology, bypassing traditional SMS spam filters and significantly increasing delivery and success rates.
Lucid incorporates advanced anti-detection and evasion techniques, such as IP blocking and user-agent filtering, to prolong the lifespan of its phishing sites. Additionally, it features a built-in card generator, enabling threat actors to validate and exploit stolen payment data efficiently. Given its advanced infrastructure and persistent activity, Lucid poses a significant and ongoing cyber threat. Its operations underscore the growing reliance on PhaaS platforms to facilitate payment fraud and financial cybercrime, necessitating heightened vigilance and proactive mitigation efforts.

(EncryptHub) is a threat actor that has come to the forefront with highly sophisticated spear-phishing attacks since 26 June 2024. In the attacks it has carried out, it exhibits a different operational strategy by carrying out all the processes necessary to obtain initial access through personalized SMS (smishing) or by calling the person directly (vishing) and tricking the victim into installing remote monitoring and management (RMM) software. When investigating the attacks carried out by the threat actor, it is evident that their social engineering techniques and persuasion skills are highly effective.
In the first phase, the actor usually creates a phishing site that targets the organization to obtain the victim's VPN credentials. The victim is then called and asked to enter the victim's details into the phishing site for technical issues, posing as an IT team or helpdesk. If the attack targeting the victim is not a call but a direct SMS text message, a fake Microsoft Teams link is used to convince the victim. After gaining access from the victim, the team runs various stealers on the compromised machine using the PowerShell

Cybersecurity researchers have offered insight into a previously undocumented software control panel used by a financially motivated threat group known as TA505.

"The group frequently changes its malware attack strategies in response to global cybercrime trends," Swiss cybersecurity firm PRODAFT said in a report shared with The Hacker News. "It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on."