CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Lighthouse and Lucid PhaaS Campaigns Target 316 Brands Across 74 Countries

First reported
Last updated
4 unique sources, 7 articles

Summary

Hide ▲

The phishing-as-a-service (PhaaS) offerings Lighthouse and Lucid have been linked to over 17,500 phishing domains targeting 316 brands across 74 countries. The campaigns leverage various phishing kits and templates to impersonate brands and harvest credentials. The operations are attributed to the Chinese-speaking XinXin group and other associated actors. Google has filed a civil lawsuit against China-based hackers behind the Lighthouse PhaaS platform, which has ensnared over 1 million users across 120 countries and made over $1 billion over the past three years. The platform uses over 194,000 malicious domains and has compromised between 12.7 million and 115 million payment cards in the U.S. alone. The phishing kits offer template customization and real-time victim monitoring, with prices ranging from $88 for a week to $1,588 for a yearly subscription. The campaigns also highlight a broader trend of collaboration and innovation within the PhaaS ecosystem, with threat actors returning to email as a primary channel for harvesting stolen credentials. A growing cluster of fraudulent domains impersonating major Egyptian service providers, including Fawry, Egypt Post, and Careem, has been identified during a recent threat-hunting operation by Dark Atlas. The discovery points to an expanding campaign run by the Smishing Triad, a Chinese-speaking cybercrime group known for large-scale SMS phishing operations. New malicious domains were uncovered after analysts examined HTTP headers from the group’s infrastructure and used those indicators to run targeted searches on Shodan. The investigation highlighted the group’s reliance on Telegram to promote and sell its phishing-as-a-service offerings. A separate but related development involves Darcula, a large-scale PhaaS platform operating more than 20,000 spoofed domains across 100 countries. Netcraft reports that an upgraded version, Darcula 3.0, introduced anti-detection features, an enhanced admin panel, a card-cloning tool, and AI-driven automation that allows operators to build phishing pages with a single click. Both the Smishing Triad and emerging PhaaS services like Darcula demonstrate the increasing sophistication of global phishing operations.

Timeline

  1. 25.11.2025 18:00 1 articles · 23h ago

    Smishing Triad Expands Campaigns with New Fraudulent Domains

    A growing cluster of fraudulent domains impersonating major Egyptian service providers, including Fawry, Egypt Post, and Careem, has been identified during a recent threat-hunting operation by Dark Atlas. The discovery points to an expanding campaign run by the Smishing Triad, a Chinese-speaking cybercrime group known for large-scale SMS phishing operations. New malicious domains were uncovered after analysts examined HTTP headers from the group’s infrastructure and used those indicators to run targeted searches on Shodan. The investigation highlighted the group’s reliance on Telegram to promote and sell its phishing-as-a-service offerings. Older Telegram channels led analysts to a video from a member identified as 'wangduoyu8,' demonstrating the group’s customizable smishing kit. The kits include international templates that mimic well-known brands, such as fake delivery notifications imitating DHL, Evri, and UPS, telecom billing alerts resembling AT&T, Movistar, and Vodafone, and government and postal service messages linked to USPS, GOV.UK, and Egypt Post.

    Show sources
    Open in new tab
  2. 19.09.2025 17:02 7 articles · 2mo ago

    Lighthouse and Lucid PhaaS Campaigns Target 316 Brands Across 74 Countries

    The phishing-as-a-service (PhaaS) offerings Lighthouse and Lucid have been linked to over 17,500 phishing domains targeting 316 brands across 74 countries. The campaigns leverage various phishing kits and templates to impersonate brands and harvest credentials. The operations are attributed to the Chinese-speaking XinXin group and other associated actors. The phishing kits offer template customization and real-time victim monitoring, with prices ranging from $88 for a week to $1,588 for a yearly subscription. The campaigns also highlight a broader trend of collaboration and innovation within the PhaaS ecosystem, with threat actors returning to email as a primary channel for harvesting stolen credentials. Google has filed a civil lawsuit against China-based hackers behind the Lighthouse PhaaS platform, which has ensnared over 1 million users across 120 countries and made over $1 billion over the past three years. The platform uses over 194,000 malicious domains and has compromised between 12.7 million and 115 million payment cards in the U.S. alone. The lawsuit aims to shut down the website infrastructure supporting the Lighthouse phishing-as-a-service (PhaaS), which offers phishing templates and infrastructure to other cybercriminals. Researchers at Cisco Talos have linked Lighthouse to smishing kits developed by the Chinese threat actor known as 'Wang Duo Yu'. The phishing platform enables threat actors to send text messages via iMessage (iOS) and RCS (Android), potentially evading spam filters. Google is suing more than two dozen unnamed individuals allegedly involved in peddling the Lighthouse phishing kit. Lighthouse is part of the 'Smishing Triad' and is responsible for sending millions of text messages spoofing trusted brands. The phishing site automatically attempts to enroll the victim's card as a mobile wallet from Apple or Google. Google's lawsuit alleges the purveyors of Lighthouse violated the company's trademarks by including Google's logos on countless phishing websites. Google is pursuing Lighthouse under the Racketeer Influenced and Corrupt Organizations (RICO) Act. The Lighthouse phishing enterprise encompasses several connected threat actor groups that work together to design and implement complex criminal schemes. The threat actor teams include a developer group, data broker group, spammer group, theft group, and administrative group. Lighthouse makes it easy for customers to mass-create fake e-commerce websites that are advertised using Google Ads accounts. Ford Merrill from SecAlliance noted that many Lighthouse customers are using the phishing kit to erect fake e-commerce websites advertised on Google and Meta platforms. The Chinese mobile phishing market is lucrative, and it's difficult to imagine a popular phishing service voluntarily turning out the lights. A majority of the phishing sites created with these kits are sitting at two Chinese hosting companies: Tencent (AS132203) and Alibaba (AS45102). Google supports several U.S. policy initiatives aimed at protecting consumers from scams and foreign-based cybercrime, including the GUARD Act, Foreign Robocall Elimination Act, and SCAM Act. Lighthouse has been used to deploy smishing attacks, especially by a loosely linked collective sometimes called the 'Smishing Triad,' targeting major Western financial organizations and banks in Australia, as well as the broader Asia-Pacific (APAC) region. The Smishing Triad collective has been operating since 2023, but the latest version of the Lighthouse kit was unveiled on Telegram on March 18, 2025. The targets of Smishing Triad attacks span across several industries, including postal, logistics, telecommunications, transportation, finance, retail, and public sectors. Lighthouse is described as a 'phishing for dummies' kit for cybercriminals who could not otherwise execute a large-scale phishing campaign. The kit allegedly offers over 600 templates for fraudulent phishing websites, each designed to resemble the legitimate website of one of more than 400 entities or institutions. Lighthouse users can filter and search for templates by geographic region, country, official website, and update time. At least 116 templates feature a Google logo (YouTube, Gmail, Google, or Google Play) on the sign-in screen. The kit was reportedly used to launch 32,094 distinct US Postal Service (USPS) phishing websites with an average of 50,000 page visits from July 2023 through October 2024. Google has determined that shutting down the Lighthouse operation will require persistent, long-term efforts because of its highly adaptive and decentralized nature, where the group can quickly pivot infrastructure and launch new phishing campaigns with minimal resources. A growing cluster of fraudulent domains impersonating major Egyptian service providers, including Fawry, Egypt Post, and Careem, has been identified during a recent threat-hunting operation by Dark Atlas. The discovery points to an expanding campaign run by the Smishing Triad, a Chinese-speaking cybercrime group known for large-scale SMS phishing operations. New malicious domains were uncovered after analysts examined HTTP headers from the group’s infrastructure and used those indicators to run targeted searches on Shodan. The investigation highlighted the group’s reliance on Telegram to promote and sell its phishing-as-a-service offerings. A separate but related development involves Darcula, a large-scale PhaaS platform operating more than 20,000 spoofed domains across 100 countries. Netcraft reports that an upgraded version, Darcula 3.0, introduced anti-detection features, an enhanced admin panel, a card-cloning tool, and AI-driven automation that allows operators to build phishing pages with a single click. Both the Smishing Triad and emerging PhaaS services like Darcula demonstrate the increasing sophistication of global phishing operations.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

FBI Warns of $262M Stolen in Account Takeover Fraud Schemes

Since January 2025, cybercriminals impersonating bank support teams have stolen over $262 million through account takeover (ATO) fraud schemes. The FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, affecting individuals and businesses across various sectors. Criminals gain unauthorized access to online financial accounts using social engineering techniques or fraudulent websites. Once in control, they wire funds to crypto wallets and often change account passwords, making recovery difficult. The FBI advises monitoring financial accounts, using strong passwords, enabling MFA, and avoiding search results for banking websites. Victims are urged to contact their financial institutions immediately and file complaints with the IC3. Recent reports highlight the growing use of AI-powered phishing campaigns, SEO poisoning, and exploitation of e-commerce vulnerabilities, particularly ahead of the holiday season. Additionally, purchase scams and mobile phishing (mishing) sites have seen a significant increase, leveraging trusted brand names to deceive users. Cybercriminals have been found to alert account holders to alleged fraudulent purchases of high-risk items such as firearms, and use SEO poisoning by purchasing ads that imitate legitimate business ads to increase the prominence of their phishing websites.

Open in new tab

Active Spyware Campaigns Targeting High-Value Signal and WhatsApp Users

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of active spyware campaigns targeting high-value Signal and WhatsApp users. These campaigns leverage sophisticated social engineering and zero-click exploits to compromise mobile devices and exfiltrate sensitive data. The targets include government officials, military personnel, political figures, and civil society organizations across the U.S., Middle East, and Europe. CISA has identified multiple campaigns, including the hijacking of Signal accounts via linked devices, Android spyware campaigns like ProSpy and ToSpy, and the exploitation of iOS and WhatsApp vulnerabilities to target fewer than 200 users. The agency recommends several best practices to mitigate these threats.

Open in new tab

APT Groups Exploiting Governance and Compliance Frameworks as Attack Surfaces

Advanced persistent threat (APT) groups are increasingly exploiting gaps in governance, risk, and compliance (GRC) frameworks as attack surfaces. Mohammed Almunajam from Tuwaiq Academy highlights that attackers are targeting weaknesses in governance approvals, compliance cycles, and investigation workflows, rather than just exploiting code. This trend has been observed in recent cybercrime and digital forensic investigations, indicating a shift in attacker strategies. Almunajam will present the "6 Black Hat Laws," a new behavioral security framework, at Black Hat Middle East and Africa 2025 to help enterprises combat these threats.

Open in new tab

Google Maps Introduces Extortion Reporting Feature for Businesses

Google has launched a dedicated form to help businesses report review-based extortion attempts on Google Maps. This feature aims to combat review bombing, where threat actors post fake negative reviews and demand ransoms for their removal. The new tool allows businesses to report such incidents directly to Google for investigation and action. Google also highlighted various other prevalent scams, including online job scams, AI product impersonation scams, malicious VPN apps, fraud recovery scams, and seasonal holiday scams. The company advises users to be cautious and vigilant to avoid falling victim to these schemes.

Open in new tab

Smishing Triad's Global Phishing Campaign Targets 194,000 Domains

A China-linked threat actor group, the Smishing Triad, has been linked to over 194,000 malicious domains used in a global smishing campaign since January 1, 2024. The campaign targets various services worldwide, including the U.S. Postal Service and toll services. The group has evolved into a highly active community within the phishing-as-a-service (PhaaS) ecosystem, generating over $1 billion in the last three years. The domains are registered through a Hong Kong-based registrar and use Chinese nameservers, but the infrastructure is hosted on U.S. cloud services. The campaign employs rapid domain churn to evade detection and uses a variety of tactics to trick users into providing sensitive information.

Open in new tab