The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities.
"This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes," Netcraft said in a fresh report shared with The Hacker News.
"The new AI-assisted features amplify Darcula's threat potential by simplifying the process to build tailored phishing pages with multi-language support and form generation — all without any programming knowledge."
Darcula was first documented by the cybersecurity company in March 2024 as a toolkit that leveraged Apple iMessage and RCS to send smishing messages to trick recipients into clicking on bogus links under the guise of postal services like USPS.
Earlier this year, the operators of Darcula PhaaS began testing a major update that enabled customers to clone any brand's legitimate website and create a phishing version.
The phishing kit, per PRODAFT, is the work of a threat actor codenamed LARVA-246, and is advertised for sale via a Telegram channel named xxhcvv / darcula_channel. It shares identical features and templates with another PhaaS referred to as Lucid.
Darcula, Lucid, and Lighthouse are assessed to be part of a loosely connected cybercrime ecosystem flourishing out of China, enabling threat actors to pull off various financially motivated scams such as those perpetrated by an activity cluster dubbed Smishing Triad.
"Darcula is one of several communities under the loosely affiliated Smishing Triad, known for mass-targeting individuals globally via SMS-based phishing (smishing) attacks," Netcraft said.
What makes Darcula compelling is that it makes it possible for threat actors with little to no technical expertise to easily craft phishing pages and conduct campaigns at scale.
The latest improvement to the phishing kit, announced on April 23, 2025, takes the form of GenAI integration that facilitates phishing form generation in various languages, form field customization, and translation of phishing forms into local languages.
The cybersecurity company said it has taken down more than 25,000 Darcula pages, blocked nearly 31,000 IP addresses, and flagged over 90,000 phishing domains since March 2024.
"This kind of flexibility means a novice attacker can now build and deploy a customized phishing site in minutes," security researcher Harry Everett said.
Darcula Used to Steal 884,000 Credit Cards#
A joint investigation from the Norwegian Broadcasting Corporation (NRK) and cybersecurity company Mnemonic has uncovered that the Darcula PhaaS operation is powered by another phishing toolkit named Magic Cat. Scammers using the toolkit are estimated to have stolen 884,000 credit cards across the world in a span of seven months.
More than 600 fraudsters are believed to be responsible for the smishing messages, with over 13 million people clicking on the links embedded in the bogus texts. In Norway alone, the links were clicked 138,000 times, out of which 19,000 people provided card details on the phishing pages.
"Magic Cat also streamed data entered by victims in real-time to the operators, allowing them to see character-by-character the data that was entered into the phishing sites," Mnemonic researchers Erlend Leiknes and Harrison Sand said. "It allows operators to also request PIN codes in real-time, easily integrate towards SMS gateways, amongst many other features."
Further analysis of the large-scale operation has determined that a 24-year-old Chinese national named Yucheng C. to be one of the key individuals behind the development of the Darcula/Magic Cat PhaaS kit.
The kit has been attributed to an unnamed company where Yucheng worked until recently, although it has denied it's scamming people. "We only sell the software that creates websites," the company was quoted as saying to NRK. "We do not encourage people to use it for phishing. We are involved in network security and fraud prevention."
(The story was updated after publication on May 6, 2025, to include new discoveries related to the Darcula phishing kit from NRK and Mnemonic.)
