Google GTIG: Chinese-Language PhaaS Ecosystem Rivals Russian Underground in Credential Theft Scale

Google's Threat Intelligence Group (GTIG) — the threat research division combining Google's security teams with Mandiant following Google's 2022 acquisition — has published a detailed analysis of the Chinese-language phishing-as-a-service (PhaaS) underground, documenting a dozen active platforms that are rapidly approaching Russian-language PhaaS operations in sophistication, scale, and global reach. The report, titled "2 PhaaS 2 Furious: The Evolution of Chinese-language Phishing Services," describes a mature criminal ecosystem offering credential theft capabilities via SMS, Apple iMessage, and RCS (Rich Communication Services — the modern successor to SMS used on Android devices), targeting victims across multiple international regions. While Russian-speaking threat actors historically dominated the PhaaS market, GTIG's analysis shows the Chinese-language underground has closed much of that gap and is now a dominant independent force in global credential theft operations.

// 01 Chinese-Language PhaaS: Technical Details

The twelve Chinese-language PhaaS platforms analyzed by GTIG are mature, organized services, not ad hoc tools. They provide paying criminal customers with:

• Phishing lure libraries targeting major banks, postal services, payment platforms, government portals, and telecommunications providers across the US, UK, Australia, Canada, and Asia-Pacific
• SMS and OTT delivery infrastructure — OTT (over-the-top messaging — services like iMessage and RCS that use data connections rather than the traditional SMS network, making them harder to block through conventional carrier-level filtering) for bypassing carrier SMS spam filters
• Automated victim management dashboards for tracking which targets have clicked lures, entered credentials, and completed verification steps
• MFA bypass capabilities using adversary-in-the-middle (AiTM) proxies that relay authentication sessions in real time, capturing both credentials and session tokens before the victim completes login
• Bulk messaging capabilities allowing operators to send hundreds of thousands of phishing messages per campaign from rotating sending identities

The shift toward iMessage and RCS delivery is operationally significant. Traditional SMS phishing is increasingly filtered by carriers and security platforms that have built pattern-recognition into network-level spam systems. iMessage and RCS lack equivalent filtering infrastructure — Apple and Google have less visibility into the content of these messages at scale — making them more reliable delivery channels for phishing lures that need to reach victims' phones.

AiTM (adversary-in-the-middle — a phishing technique where the attacker operates a reverse proxy that relays authentication traffic between the victim and the legitimate service, capturing session tokens in real time rather than just harvesting passwords) capabilities are now a standard feature in the Chinese-language PhaaS market, not a premium add-on. This means even organizations that have deployed MFA broadly are not protected from campaigns using these services without additional controls like phishing-resistant authentication.

// 02 The Broader Ecosystem Context

GTIG's analysis identifies structural similarities between the Chinese-language PhaaS ecosystem and the Russian-language underground that preceded it:

Specialization and division of labor. Chinese-language PhaaS platforms show a sophisticated division of labor: separate teams develop the phishing kits, manage infrastructure, handle customer support, and operate money mule networks. This mirrors the organizational maturity observed in Russian ransomware-as-a-service (RaaS) ecosystems over the past five years.

Tie-ins to the broader criminal ecosystem. GTIG notes that many Chinese-language PhaaS services are "likely tied intricately to the broader criminal ecosystem" in the region — meaning the credential theft feeds into financial fraud, account takeover, and identity theft operations that monetize the stolen data. The service providers do not merely sell access to the tool; they participate in the full monetization chain.

Lowering the barrier to entry. The availability of polished, feature-complete PhaaS platforms means that launching a credential theft campaign no longer requires technical skill in phishing kit development, infrastructure operation, or AiTM proxy management. A criminal with no coding ability can purchase a subscription and begin targeted campaigns within hours.

// 03 Exploitation Status and Threat Landscape

GTIG's report confirms that multiple Chinese-language PhaaS platforms have been actively used in campaigns targeting victims in the United States, United Kingdom, Australia, Canada, and across Southeast Asia. The operations are ongoing; this is not a historical or retrospective analysis but a current threat assessment.

The intersection with the Kali365 campaign reported separately by the FBI — also documented in this edition — is worth noting. While Kali365 is English-language in its marketing and targets Microsoft 365 specifically, the convergence of Chinese-language and English-language PhaaS ecosystems on similar AiTM and OTT delivery techniques suggests the underlying technology is being shared or independently converged upon by multiple threat actor communities.

MITRE ATT&CK technique T1566 (Phishing — using fraudulent messages to trick users into providing credentials or executing malicious code) and its sub-technique T1566.002 (Spearphishing Link — phishing messages containing malicious links) are the primary classification for these campaigns. The AiTM component maps to T1557 (Adversary-in-the-Middle — intercepting communication between two parties).

// 04 Who Is Affected

GTIG's analysis does not limit the targeting to any specific sector. The phishing lure libraries cover banks, government services, e-commerce platforms, parcel delivery notifications, and telecommunications providers — reflecting campaigns designed to reach broad consumer and small-business populations, not just enterprise targets.

Organizations and individuals who are at elevated risk include those in targeted geographies (US, UK, Australia, Canada, Southeast Asia) who use any of the common services being impersonated, and enterprise users whose personal mobile devices receive phishing messages that spill over into work account targeting.

// 05 What You Should Do Right Now

• Deploy phishing-resistant MFA for all critical accounts. FIDO2 hardware keys and platform authenticators (Face ID, Windows Hello) are resistant to AiTM attacks because they cryptographically bind the authentication to the specific website's domain — a spoofed or proxied page cannot satisfy the authentication challenge.
• Educate users on SMS and iMessage phishing. The shift to OTT delivery means phishing messages now arrive in the same channels as personal communications from contacts. Awareness training should address "smishing" (SMS-based phishing) and iMessage phishing specifically.
• Review conditional access policies for your identity providers. Ensure that sign-in from new devices, new locations, or unusual user agents triggers additional verification — this limits the window an attacker has to use captured session tokens before the session is flagged.
• Monitor for account access from unexpected locations. A captured session token used by an attacker will typically originate from a different geographic location or IP range than the victim's normal access pattern. Anomaly-based identity monitoring should flag these.
• Report phishing messages using your platform's native reporting tools. On iOS, use "Report Junk" for iMessage phishing. On Android, report spam via the Messages app. These reports help Apple and Google improve their detection systems.

// 06 Background: Understanding the Risk

The maturation of the Chinese-language PhaaS ecosystem follows a trajectory that parallels Russian-language cybercrime evolution over the previous decade. In the mid-2010s, Russian-language underground markets professionalized ransomware and banking trojan operations into service-based businesses. The same organizational innovations — reusable code, support services, affiliate networks, and SLA-backed operational guarantees — are now visible in Chinese-language PhaaS.

GTIG's full analysis provides platform-by-platform detail on the dozen services reviewed, including the specific lure types, delivery methods, and geographic targeting of each. Threat intelligence teams should review this report alongside their existing Chinese-language threat actor tracking to assess whether campaigns targeting their industries are likely sourced from any of the documented platforms.

The broader implication for enterprise security is that phishing-as-a-service is now a global, multi-language, multi-ecosystem commodity. Defenses designed around the assumption that phishing requires technical sophistication from the attacker are no longer adequate. The relevant question is not whether phishing lures are technically sophisticated — they do not need to be when AiTM proxies handle the hard part — but whether the organization's authentication infrastructure can resist session token capture regardless of how the lure is delivered.

// 07 Conclusion

GTIG's analysis confirms that the Chinese-language PhaaS underground has matured into a peer of the Russian-language ecosystem it parallels, with a dozen documented platforms actively selling credential theft as a service globally. Phishing-resistant MFA is the most effective single control against the AiTM techniques these platforms use; organizations still relying on TOTP apps or SMS codes should accelerate migration to FIDO2 authentication for at least their highest-risk accounts.