Darcula Phishing Kit Linked to Chinese Threat Actor

The Chinese-operated 'darcula' platform, specializing in Phishing-as-a-Service (PhaaS) in the Chinese language, is actively targeting organizations across more than 100 countries using sophisticated methods via a network of over 20,000 phishing domains.

'Darcula' is an advanced Phishing-as-a-Service (PhaaS) platform, utilizing over 20,000 phishing domains to facilitate cybercriminals in launching branded phishing campaigns. Differing from conventional methods, 'darcula' employs modern technologies like JavaScript, React, Docker, and Harbor, akin to those utilized by high-tech startups.

By leveraging iMessage and RCS for text communications instead of SMS, 'darcula' bypasses SMS firewalls effectively, enabling targeted attacks on entities like the USPS and other established organizations across 100+ countries. These attacks, known as 'smishing,' often involve messages regarding 'missed packages' to deceive users into providing sensitive information under the guise of legitimate postal services.

The 'darcula' platform has been implicated in numerous high-profile phishing incidents, including scams targeting both Apple and Android users in the UK, as well as fraudulent package schemes impersonating the United States Postal Service (USPS), which gained attention on Reddit's /r/phishing forum.

Operators utilizing 'darcula' distribute their malicious URLs primarily through RCS and iMessage, exploiting the trust associated with these platforms while evading certain network filters that typically block scam SMS messages.

This analysis delves into the mechanics of 'darcula,' highlighting its distinctive approach to phishing campaigns, particularly through text messages, and its effectiveness in extracting critical data from unsuspecting victims.

Darcula Offers Ready-Made Phishing Templates

'Darcula' represents a significant player in the cybercrime landscape, offering a subscription-based model for other criminals to easily deploy phishing sites targeting a wide array of global brands using hundreds of templates.

Unlike traditional phishing kits, 'darcula' phishing websites can seamlessly update to integrate new features and anti-detection measures, ensuring sustained efficacy in evading detection and enforcement efforts.

The platform boasts support for approximately 200 phishing templates, tailored to exploit trust in various brands spanning over 100 countries, predominantly focusing on postal services but also targeting entities reliant on consumer trust, such as utilities, financial institutions, government agencies, airlines, and telecom companies.

'Darcula' phishing attacks predominantly utilize purpose-registered domains, often mimicking legitimate brand names, with popular top-level domains including .top and .com. Cloudflare is a common infrastructure choice, recommended for masking server IP addresses, alongside Tencent, Quadranet, and Multacom.

Over 20,000 Domains Linked to Darcula

Netcraft has identified over 20,000 'darcula'-related domains across 11,000 IP addresses, targeting over 100 brands, with an average detection of 120 new domains hosting 'darcula' phishing pages daily since the beginning of 2024.

To evade monitoring and takedown efforts, 'darcula' sites typically display fake domain sale/holding pages on their front end. Additionally, the platform employs anti-bot measures, redirecting suspicious visitors to Google searches for various cat breeds, reflecting its cat-themed motif.

Unlike conventional SMS-based phishing attacks, 'darcula' lures predominantly utilize RCS and iMessage, exploiting these alternative communication protocols for their wider reach and enhanced encryption capabilities. Google's adoption of RCS as the default messaging protocol in 2023 and Apple's upcoming support for RCS on iOS in 2024 further amplify the effectiveness of 'darcula's' phishing campaigns.