Chinese-Language Phishing-as-a-Service Ecosystem Rapidly Matures, Mandiant Reports

A new report from Google Threat Intelligence Group (GTIG), published by Mandiant, details the rapid maturation of a Chinese-language phishing-as-a-service (PhaaS) ecosystem that is distinct from its Russian-speaking counterparts. The analysis, based on a dozen current offerings in the Chinese underground, reveals a professionalized market that lowers the barrier to entry for cybercriminals while introducing advanced techniques that bypass traditional defenses. These services are not merely regional copies of Western operations but a unique ecosystem shaped by different cultural norms and targeting strategies.

Unlike the major Russia-based PhaaS offerings that typically target customers of large organizations, Chinese-language phishing services are designed to target the general public more opportunistically. Nearly all the legitimate organizations mimicked by these phishing services are non-Chinese entities, suggesting they rarely target China. The providers operate with less regard for operational security, often posting photos of their luxury lifestyles on Telegram, which serves as their primary advertising channel rather than regionally popular platforms like WeChat or QQ.

A defining technical shift observed by GTIG is the move from static password harvesting to real-time interception and tokenization. By using live administration panels, attackers can interact with victims in real-time to capture one-time passcodes (OTPs), allowing them to bypass multifactor authentication (MFA) instantly. Instead of simply gaining account access, these operations focus on exploiting digital wallet provisioning to transform stolen payment data into tokenized assets within ecosystems like Apple Pay or Google Pay, enabling high-value transactions and ATM withdrawals.

Delivery mechanisms have also evolved. These PhaaS operators heavily leverage Rich Communication Services (RCS) and Apple’s iMessage, which use end-to-end encryption that makes it difficult for server-side infrastructure to inspect or filter malicious links. Messages include engagement features like read receipts and typing indicators, making lures appear remarkably legitimate. This approach bypasses traditional carrier security filters on SMS messages, representing an emerging development where the goal is securing direct, unauthorized control over a victim's financial accounts.

Multiple Chinese-language PhaaS operators have adopted AI for their operations to enable scale and stealth. The Darcula PhaaS platform, linked to UNC5814, has moved away from static templates, instead utilizing AI-powered page generators and browser automation tools like Puppeteer. This enables users to clone legitimate websites by replicating their HTML, CSS, JavaScript, and visual elements through providing the target website's URL. As each phishing page is unique, signature-based detection methods are rendered increasingly ineffective.

The ecosystem is not limited to phishing kits. Developers typically offer numerous ancillary services, forming a complete, mature, and extensive offering. These include the sale of personally identifiable information (PII), domain name registration and VPS hosting services, server rentals, money laundering services, eavesdropping devices (IMSI catchers), and message sending services. Some platform vendors are also involved in trading stolen payment card information.

Late last year, Google took legal action against one PhaaS provider and has worked since then to endorse legislation and enact technical safeguards against these types of scams. The report underscores that the Chinese-language PhaaS ecosystem is not merely a regional mirror of Russian operations – it is a distinct market shaped by a unique professional culture. As these services continue to evolve, defenders must adapt to the new tactics of real-time interception, AI-generated lures, and encrypted delivery channels that characterize this growing threat.