Darcula Phishing Service Now Weaponized with AI
The Darcula phishing-as-a-service platform just got a whole lot more dangerous. Cybercriminals using the service now have access to generative AI tools, making it easier than ever to craft convincing and personalized phishing attacks.
Netcraft, in a new report shared with The Hacker News, says this is a big deal. "This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes," they explained.
Basically, it's now easier than ever to create convincing phishing pages, even if you don't know how to code. The AI helps build tailored pages, supports multiple languages, and generates forms – all without needing any programming skills. Think of it as phishing for dummies, but with AI superpowers!
Darcula first surfaced back in March 2024. It was already using sneaky tactics like Apple iMessage and RCS to send smishing messages (that's phishing via SMS) designed to trick people into clicking fake links disguised as postal service notifications.
Earlier this year, the Darcula PhaaS operators started testing a major update, allowing customers to clone *any* brand's website and create a perfect phishing copy. Yikes.
According to PRODAFT, this kit is the handiwork of a threat actor called LARVA-246, who sells it through a Telegram channel. It even shares features and templates with another PhaaS called Lucid.
It's believed that Darcula, Lucid, and Lighthouse are all part of a larger, interconnected cybercrime network originating in China. This network allows bad actors to launch financially motivated scams, like those carried out by a group known as Smishing Triad.
"Darcula is one of several communities under the loosely affiliated Smishing-Triad, known for mass-targeting individuals globally via SMS-based phishing (smishing) attacks," Netcraft notes. The appeal of Darcula lies in its ease of use, even for those without technical expertise.
The most recent upgrade, announced on April 23, 2025, is the GenAI integration. This lets users generate phishing forms in different languages, customize form fields, and translate forms into local languages. It's all about making the scams more convincing and harder to spot.
On the bright side, the good guys are fighting back. The cybersecurity company reports that they've taken down over 25,000 Darcula pages, blocked nearly 31,000 IP addresses, and flagged over 90,000 phishing domains since March 2024.
"This kind of flexibility means a novice attacker can now build and deploy a customized phishing site in minutes," says security researcher Harry Everett. So, stay vigilant out there!
