The Chinese phishing-as-a-service (PhaaS) landscape has been rapidly growing in size and sophistication over the past few month, Google researchers have warned.
Cyber threat actors operating mature phishing services, many of whom are likely tied to the broader Asian criminal ecosystem, have largely shifted from static password harvesting to real-time interception and tokenization.
One group, operating the ‘Lighthouse’ SMS phishing (smishing) kit, was subject to a lawsuit filed by Google in November 2025.
However, it was just the tip of the iceberg. In a new report published on May 25, Google Threat Intelligence Group (GTIG) said it observed at least a dozen other active PhaaS offerings in the Chinese underground.
Real-Time Credential Theft Tactics
GITG noted that, while Russian-based PhaaS operations, the dominant market for phishing services, typically target customers of large organizations, Chinese-language phishing services cast a wider net, opportunistically targeting the general public.
The report highlighted that nearly all organizations impersonated by these services are non-Chinese entities, suggesting operators deliberately avoid domestic targets.
Top targeted countries include Japan, the US, Australia, Hong Kong and the United Arab Emirates.
GTIG identified several notable tactics that set these Chinese-language operators apart.
First, rather than relying on traditional SMS, Chinese phishing operators have shifted to encrypted messaging protocols like Rich Communication Services (RCS) and Apple iMessage to deliver phishing lures. The end-to-end encryption used by these protocols makes it significantly harder for infrastructure-level filters to detect and block malicious links, while their rich feature sets (e.g. read receipts, high-resolution media, typing indicators) make phishing messages appear far more convincing to potential victims.
Read more: End‑to‑End Encrypted RCS Messaging Arrives Across iPhone and Android
More importantly, GTIG emphasized the recent shift to real-time credential interception.
“By utilizing live administration panels, attackers can interact with victims in real-time to capture one-time passcodes (OTPs), allowing them to bypass multifactor authentication (MFA) instantly,” noted the GTIG researchers.
In practice, when a victim enters credentials on a phishing page, the data is immediately surfaced on an attacker-controlled administrative panel. Attackers can then simultaneously trigger OTP requests on their own devices, capturing the codes seconds before they expire and effectively neutralizing MFA protections.
Operators are also exploiting digital wallet provisioning to monetize stolen payment details. Using captured credentials and OTPs, attackers provision victims' payment cards into digital wallets on attacker-controlled devices, enabling high-value transactions, contactless payments and ATM withdrawals.
Some platforms also offer brokerage-focused templates designed to facilitate account takeovers for wire fraud and stock manipulation.
Finally, GTIG flagged the growing use of AI to enable scale and evade detection.
For instance, the Darcula PhaaS platform, linked by GTIG to threat actor UNC5814, has abandoned static phishing templates in favor of AI-powered page generators and browser automation tools that can clone legitimate websites by replicating their HTML, CSS, JavaScript and visual elements. Because each generated phishing page is unique, traditional signature-based detection methods are rendered increasingly ineffective.
Chinese PhaaS Operators Offer Full Criminal Suites – and Flaunt It
The GITG report noted that most sophisticated Chinese PhaaS platforms offer services beyond phishing kits.
Some of these malicious vendors sell comprehensive suites of criminal services including the sale of personally identifiable information (PII), domain registration and virtual private server (VPS) hosting, money laundering, IMSI catchers, spam messaging assistance and stolen payment card trading.
Google researchers also observed the lack of cyber hygiene and operation security (OpSec) in some Chinese PhaaS operators, with some identified individuals openly advertising their services on Telegram and routinely posting photos flaunting luxury lifestyles on the same channels.