Phaas — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/phaas/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 25 May 2026 05:10:35 +0000Emergence of Chinese-Language Phishing-as-a-Service (PhaaS) Ecosystemhttps://feed.craftedsignal.io/briefs/2026-05-chinese-phaas/Mon, 25 May 2026 05:10:35 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-chinese-phaas/A rapidly growing Chinese-language PhaaS ecosystem is shifting towards real-time interception of credentials and tokenization of stolen payment data, bypassing traditional SMS security filters with encrypted channels like RCS and iMessage, and employing AI-based automation to evade detection.A thriving Phishing-as-a-Service (PhaaS) ecosystem is emerging within the Chinese-language cybercrime landscape, challenging the dominance of Russian-speaking actors. This ecosystem features mature services intricately linked to the regional criminal underground, lowering the barrier to entry for Chinese cyber criminals. Instead of static password harvesting, these services leverage real-time interception and tokenization to bypass multifactor authentication (MFA). They exploit digital wallet provisioning to transform stolen payment data into tokenized assets, enabling direct, unauthorized control over victims’ financial accounts. This shift, combined with encrypted delivery channels, represents a significant evolution in social engineering and credential theft, moving beyond simple account access towards financial exploitation. The YY Lai Yu (YY来鱼) platform, advertised since August 2024, targets 119 countries, with a focus on Japan, exemplifying this trend.

Attack Chain

  1. Attackers deliver phishing links via RCS and iMessage, leveraging their end-to-end encryption to bypass traditional SMS security filters.
  2. The victim clicks the malicious link, leading them to a phishing page that mimics a legitimate service.
  3. The victim enters their credentials and, if applicable, an OTP on the phishing page.
  4. The attacker, using a real-time administration panel, intercepts the credentials and OTP instantly as the victim enters them.
  5. The attacker uses the stolen credentials and OTP to provision the victim’s payment card into a digital wallet on an attacker-controlled device.
  6. The tokenized card is then used for high-value transactions, contactless payments, and ATM withdrawals.
  7. Some PhaaS operators utilize AI-powered page generators, like those in the Darcula platform, to clone legitimate websites by replicating their HTML, CSS, JavaScript, and visual elements.
  8. This AI-driven automation creates unique phishing pages, rendering signature-based detection methods less effective.

Impact

The shift towards real-time credential interception and tokenization of stolen payment data enables attackers to bypass MFA and gain unauthorized control over victims’ financial accounts. This can lead to significant financial losses through unauthorized transactions, contactless payments, and ATM withdrawals. The use of AI-powered phishing page generators increases the scale and stealth of these operations, making them more difficult to detect and defend against. While the source doesn’t mention specific victim counts, the PhaaS targets the general public opportunistically.

Recommendation

  • Monitor for the use of iMessage and RCS for potential phishing attempts, focusing on messages containing links to external websites to activate corresponding detections.
  • Implement detection mechanisms to identify AI-generated phishing pages by analyzing website characteristics and content similarity to known legitimate sites.
  • Deploy the Sigma rule detecting OTP interception based on access to admin panels to your SIEM and tune for your environment.
]]>highadvisoryphishingphaascredential-theftsocial-engineering