2 PhaaS 2 Furious: The Evolution of Chinese-language Phishing Services

MITRE Techniques

• [T1566.002 ] Phishing: Spearphishing Link – Victims receive malicious links through encrypted messaging to lure them into entering credentials and OTPs (‘messages also contain more extensive engagement features… ideal for social engineering operations’ and ‘send encrypted messages in bulk’).
• [T1110 ] Brute Force – OTPs are captured in real time and used immediately to bypass authentication controls (‘the victim enters the code into the phishing page, and the attacker captures it seconds before it expires’).
• [T1056.004 ] Input Capture: Credential API Hooking / Web Session Interception – Live administrative panels display entered credentials instantly for attacker use (‘the data is displayed instantly on an administrative panel’).
• [T1556 ] Modify Authentication Process – Attackers use synchronized OTP requests and live interaction to defeat MFA (‘As the victim is prompted for an OTP, an attacker simultaneously triggers that same OTP request on their own device’).
• [T1027 ] Obfuscated Files or Information – Encrypted delivery channels and unique AI-generated pages make filtering and signature detection harder (‘protocols that use end-to-end encryption make it difficult’ and ‘each phishing page is unique’).
• [T1585 ] Establish Accounts – Operators create and manage new users and domains through the admin panel (‘panel administrators can create new operator users and assign them their permissions’ and ‘register and manage new domains’).
• [T1608.005 ] Stage Capabilities: Upload Malware – Phishing infrastructure is provisioned with hosted domains and pages for delivery (‘domains that can be purchased within the administration panel’).
• [T1222.001 ] File and Directory Permissions Modification – Anti-bot verification forces manual interaction before access, hindering automation (‘requiring a manual click to proceed’).