The Chinese phishing-as-a-service (PhaaS) landscape has been rapidly growing in size and sophistication over the past few month, Google researchers have warned. Cyber threat actors operating mature phishing services, many of whom are likely tied to the broader Asian criminal ecosystem, have largely shifted from static password harvesting to real-time interception and tokenization. One group, operating the ‘Lighthouse’ SMS phishing (smishing) kit, was subject to a lawsuit filed by Google in November 2025. However, it was just the tip of the iceberg. In a new report published on May 25, Google Threat Intelligence Group (GTIG) said it observed at least a dozen other active PhaaS offerings in the Chinese underground. GITG noted that, while Russian-based PhaaS operations, the dominant market for phishing services, typically target customers of large organizations, Chinese-language phishing services cast a wider net, opportunistically targeting the general public. The report highlighted that nearly all organizations impersonated by these services are non-Chinese entities, suggesting operators deliberately avoid domestic targets. Top targeted countries include Japan, the US, Australia, Hong Kong and the United Arab Emirates. GTIG identified several notable tactics that set these Chinese-language operators apart. First, rather than relying on traditional SMS, Chinese phishing operators have shifted to encrypted messaging protocols like Rich Communication Services (RCS) and Apple iMessage to deliver phishing lures. The end-to-end encryption used by these protocols makes it significantly harder for infrastructure-level filters to detect and block malicious links, while their rich feature sets (e.g. read receipts, high-resolution media, typing indicators) make phishing messages appear far more convincing to potential victims. Read more: End‑to‑End Encrypted RCS Messaging Arrives Across iPhone and Android