Chinese backed phishing services
Summarizing the large scale campaigns backed by Chinese language setups
– urlscan Threat Research Team
urlscan Pro Report New
This is a public version of a report first published as an Intel Report on the urlscan Pro platform. The urlscan Pro version contains a more detailed look into the activity as well as more complex searches to cluster the activity. The urlscan Pro report also benefits from added visibility of Unlisted scans.
Over the past several months, the urlscan Threat Research Team has conducted extensive research to identify, cluster, and track some of the most impactful Chinese-language phishing-as-a-service (PhaaS) ecosystems operating at a global scale. This research combines large-scale telemetry, infrastructure analysis, and campaign tracking to better understand how these services are structured, operated, and deployed.
Beginning May 4th, we will publish a series of linked Threat Intelligence reports focused on the most prominent Chinese-language phishing frameworks currently active. Each report will examine a specific framework or activity cluster, providing detailed insights into campaign scale, infrastructure design, operational workflows, tracking mechanisms, and the detection methodologies developed by the urlscan.io team.
Collectively, this series aims to provide a comprehensive view of the ecosystems underpinning a significant portion of global phishing activity today, with a particular focus on the services enabling large-scale, cross-border campaigns.
Background
Phishing-as-a-service (PhaaS) has become a dominant model within the cybercriminal ecosystem, lowering the barrier to entry for conducting large-scale credential harvesting and fraud operations. In recent years, Chinese-language PhaaS platforms have emerged as a significant component of this landscape, supporting campaigns that target organizations and individuals across multiple regions.
A notable trend within these operations is the strong focus on consumer phishing, frequently delivered via mobile communication channels such as SMS (“smishing”) and over-the-top (OTT) messaging platforms, including iMessage and Rich Communication Services (RCS). Industry reporting and law enforcement investigations have highlighted the increasing industrialization of these campaigns, including the use of SIM box infrastructure to distribute messages at scale across international markets.
The globalization of mobile phishing has enabled threat actors to operate beyond regional constraints. Campaign operators commonly deploy centralized backend frameworks capable of supporting multiple frontend phishing templates, allowing a single platform to impersonate brands across different countries simultaneously. This model increases efficiency while maximizing potential financial return.
Open-source reporting from organizations such as Group-IB, Resecurity, and GSMA has documented the rapid growth of these ecosystems, including the expansion of infrastructure, tooling, and affiliate-based business models. These reports consistently highlight the increasing scale, sophistication, and accessibility of PhaaS platforms.
Telemetry and internal research further indicate a sharp rise in activity associated with Chinese-language phishing frameworks, including significant increases in domain registrations, phishing kit deployments, and scan volume (Sources: APWG, Microsoft). This growth suggests that a substantial proportion of large-scale SMS-based credential phishing campaigns observed globally are now linked either directly or indirectly to these ecosystems.
As financial incentives continue to grow, the PhaaS model is expected to further proliferate. Multiple threat actors and groups are already developing or adapting their own frameworks, contributing to an increasingly competitive and rapidly evolving threat landscape.
The naming conventions used throughout this series are based on identifiable indicators within phishing kits, infrastructure artifacts, or commonly used industry terminology. Due to the fragmented nature of reporting across the cybersecurity community, many clusters are known by multiple names. Where applicable, we aim to maintain consistency while acknowledging alternative naming used in existing research.
More on urlscan Pro
If you want to learn about the urlscan Pro platform and how it might be valuable for your organization feel free to reach out to us! We offer free trials with no strings attached. We would be happy to give you a passionate demo of what our platform can do for you. Reach out to us at sales@urlscan.io.