Chinese-language phishing-as-a-service (PhaaS) platforms are rapidly expanding their global reach by leveraging SMS and over-the-top (OTT) messaging channels such as iMessage and Rich Communication Services (RCS).
Over the past several months, researchers have conducted large-scale analysis to identify and track some of the most active Chinese-backed phishing ecosystems.
Their findings reveal highly organized operations that use advanced infrastructure, scalable frameworks, and affiliate-driven models to launch credential theft campaigns worldwide.
Starting May 4, urlscan.io will release a series of detailed threat intelligence reports focusing on these ecosystems.
The urlscan Threat Research Team has conducted extensive research to identify, cluster, and track some of the most impactful Chinese-language phishing-as-a-service (PhaaS).
Each report will examine a specific phishing framework or activity cluster, offering insights into infrastructure design, campaign execution, tracking mechanisms, and detection techniques.
One of the most notable trends is the growing reliance on mobile communication channels. Instead of traditional email phishing, attackers are increasingly using SMS (“smishing”) and OTT messaging platforms to reach victims directly on their smartphones.
These messages often impersonate trusted brands such as banks, delivery services, or toll operators. Victims are tricked into clicking malicious links that lead to fake login pages designed to steal credentials and financial information.
The use of OTT platforms like iMessage and RCS allows attackers to bypass traditional telecom filtering systems, making detection more difficult and increasing delivery success rates.
Researchers highlight the industrial scale of these campaigns. Threat actors frequently use SIM box infrastructure, which enables them to send large volumes of SMS messages across multiple countries from centralized systems.
At the core of these operations are backend phishing frameworks capable of managing multiple campaigns at once.
A single platform can host dozens of phishing templates tailored to different brands and regions, allowing attackers to run cross-border campaigns efficiently.
This centralized model reduces operational costs while maximizing potential profits, making it attractive to both experienced cybercriminals and new entrants.
Open-source intelligence from organizations such as Group-IB, Resecurity, and GSMA confirms the rapid growth of these ecosystems.
Reports indicate increased investment in infrastructure, automation tools, and affiliate programs that allow other threat actors to use these platforms for a fee.
Telemetry data and industry reports from APWG and Microsoft also show a sharp rise in phishing-related activity. This includes spikes in domain registrations, phishing kit deployments, and scanning activity linked to Chinese-language frameworks.
Researchers believe a significant portion of global SMS-based phishing campaigns can now be traced back to these ecosystems, either directly or through affiliated operators.
The expansion of smishing campaigns using OTT and SMS highlights a shift in attacker strategy toward mobile-first targeting. Security teams are encouraged to:
As financial incentives continue to grow, the PhaaS model is expected to evolve further, with more threat actors developing their own frameworks and competing in an increasingly crowded cybercrime market.
The upcoming urlscan.io report series aims to provide deeper visibility into these operations and support improved detection and mitigation efforts across the cybersecurity community.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Hot this week
GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.
Company
Trending
Categories
Copyright @ 2016 – 2026 GBHackers On Security – All Rights Reserved