Paid brand-impersonation phishing kits Lucid and Lighthouse scale fake-domain operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
Brand-impersonation phishing has become a paid service, with kits like Lucid and Lighthouse scaling fake-domain operations across 316 brands in 74 countries, increasing the reach and speed of impersonation abuse.
Related Happenings
Phantom squatting AI-hallucinated domain phishing campaign
Campaign
H score35
First: 01.07.2026 10:20
Last: 01.07.2026 10:20
Sources 1
How related:
Attackers have started buying those made-up domains before anyone else can, then hosting phishing pages on them to catch traffic that AI tools point their way.
About this happening:
A **phantom squatting** campaign is turning **AI-hallucinated domains** into live phishing and malware lures, putting **AI-referred traffic** at immediate risk. Attackers are regi...
Phantom squatting AI-hallucinated domain phishing campaign
CampaignHow related: Attackers have started buying those made-up domains before anyone else can, then hosting phishing pages on them to catch traffic that AI tools point their way.
About this happening: A **phantom squatting** campaign is turning **AI-hallucinated domains** into live phishing and malware lures, putting **AI-referred traffic** at immediate risk. Attackers are regi...
GitBait phishing campaign targeting Mexican banks
Campaign
H score20
First: 17.06.2026 17:00
Last: 17.06.2026 17:00
Sources 1
About this happening:
A **long-running GitBait phishing campaign** is stealing **banking credentials** from customers of **Mexican financial institutions**, using **GitHub Pages** and **SheetBest** to...
GitBait phishing campaign targeting Mexican banks
CampaignAbout this happening: A **long-running GitBait phishing campaign** is stealing **banking credentials** from customers of **Mexican financial institutions**, using **GitHub Pages** and **SheetBest** to...
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor Meta
H score43
First: 12.06.2026 11:52
Last: 12.06.2026 11:52
Sources 1
About this happening:
A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor MetaAbout this happening: A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Latest development: 15.06.2026 09:30
Fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations targeted users across the Middle East and North Africa with fake offers for free mobile internet packages, financial compensation, and government subsidy programs, then routed victims through Linkbio and Linktree decoy pages into Sniper Dz phishing and traffic monetization infrastructure that abuses browser notification permissions, back-button hijacking, tab-under redirections, premium SMS subscriptions, premium-rate calls, and investment scams.
Google sponsored search ManageWP phishing campaign
Campaign
H score13
First: 07.05.2026 00:36
Last: 07.05.2026 00:36
Sources 1
About this happening:
A **phishing campaign** is abusing **Google sponsored search results** to impersonate **ManageWP** and steal login credentials, **2FA codes**, and account access. The operation ma...
Google sponsored search ManageWP phishing campaign
CampaignAbout this happening: A **phishing campaign** is abusing **Google sponsored search results** to impersonate **ManageWP** and steal login credentials, **2FA codes**, and account access. The operation ma...
Custom vishing campaign stealing Okta SSO credentials
Campaign
H score44
First: 22.01.2026 23:43
Last: 22.01.2026 23:43
Sources 1
About this happening:
A **custom vishing campaign** is actively stealing **Okta SSO credentials** through live, adversary-in-the-middle phishing pages, creating immediate risk of account takeover and d...
Custom vishing campaign stealing Okta SSO credentials
CampaignAbout this happening: A **custom vishing campaign** is actively stealing **Okta SSO credentials** through live, adversary-in-the-middle phishing pages, creating immediate risk of account takeover and d...
Timeline
-
01.07.2026 10:20 2 articles · 1h ago
Lucid and Lighthouse scale brand-impersonation phishing as a paid service
Campaign Scope UpdateBrand-impersonation phishing is operating as a paid service, with kits like Lucid and Lighthouse standing up 17,500 fake domains against 316 brands across 74 countries and reducing the time security teams have to react when lookalike domains are registered at scale.
Show sources
- Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware — thehackernews.com — 01.07.2026 10:20
- Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware — thehackernews.com — 01.07.2026 10:20