The threat actors behind the Darcula Phishing-as-a-Service (PHAAS) platform have released a new update to the Cybercrime suite with generative artificial intelligence (Genai) capabilities.
“This addition will reduce the technical barriers to creating phishing pages and allow tech-savvy criminals to deploy customized scams in minutes,” Netcraft said in a fresh report she shares with Hacker News.
“The new AI-ASSISTED feature amplifies the potential threats of Darcula by simplifying the process of building tailored phishing pages with multi-language support and form generation.
Darcula was first documented in March 2024 by Cybersecurity Company, and as a toolkit that leverages Apple Imessage and RCS to send Smishing messages to users, allowing recipients to click fake links in the guise of postal services like USPS.
Earlier this year, the operators of Darcula Phaas began testing major updates that allow customers to clone legitimate websites for their brand to create phishing versions.
Phishing Kit, Per Prodaft, is a work of a threat actor called the codename of a threat actor, and is sold and sold via a telegram channel named XXHCVV/Darcula_Channel. It shares the same functionality and templates as another PHAA called Lucid.
Darcula, Lucid and Lighthouse are rated as part of a thriving, loosely connected cybercrime ecosystem from China, allowing them to elicit a variety of financially motivated frauds such as threat activity being carried out by an activity cluster called the Smishing Triad.
“Darcula is one of several communities under the loosely related Smishing-Triad, known for attracting massive targets worldwide through SMS-based phishing attacks,” says Netcraft.
What makes Darcula attractive is that it makes it easy for threat actors with little technical expertise to create phishing pages and run campaigns at scale.
The latest improvements to the phishing kit, announced on April 23, 2025, take the form of Genai integration, which promotes the generation of phishing forms in a variety of languages, customizing form fields, and translation of phishing forms into local languages.
The cybersecurity company said it has deleted more than 25,000 Darcula pages, blocked nearly 31,000 IP addresses, and flagged more than 90,000 phishing domains since March 2024.
“This kind of flexibility means that beginner attackers can build and deploy customized phishing sites in minutes,” said security researcher Harry Everett.
Source link
