Software:Darcula

From HandWiki

Darcula is a Chinese-language phishing-as-a-service (PhaaS) platform used to run large-scale SMS phishing (smishing) campaigns against mobile phone users, including organizations (government, airlines) and services (postal, financial) worldwide.[1][2] Darcula offers to cybercriminals more than 20,000 counterfeit domains (to spoof brands) and over 200 templates.[1][2] Darcula uses iMessage and RCS (Rich Communication Services) to steal credentials from Android and iPhone users.[3]

In May 2025, the Norwegian Broadcasting Corporation (NRK) in collaboration with BR, Le Monde, and the Norwegian cybersecurity company mnemonic reported on Darcula.[4][5][6][7] They reported that the group was able to steal a total of 884,000 credit cards from victims during a period of seven months between 2023 and 2024. They also claim that the software used by the group, Magic Cat, was developed by Yucheng C., a 24-year old man from Henan, China.[8]

Operation

Darcula operates as a subscription-based PhaaS platform. Customers pay a monthly fee for access to Magic Cat, which provides an administrative panel, ready-made phishing templates and tooling to manage campaigns and stolen data.[3][2]

Campaigns sent through Darcula typically begin with a text message claiming that a package cannot be delivered, that customs or toll fees are outstanding, or that another urgent payment is required.[6] Victims are directed to a phishing page that closely resembles the targeted brand’s website and are asked to provide personal details and payment-card information, which is relayed to operators in real time via the Magic Cat backend.[2]

Unlike many previous smishing operations, Darcula relies heavily on Apple iMessage and the RCS protocol in Google Messages instead of traditional SMS.[1][2] Using encrypted messaging channels allows the platform’s messages to bypass SMS firewalls and some mobile carrier filtering, while avoiding per-SMS charges that would normally apply to large campaigns.[1][2] To work around iMessage safeguards that prevent links from unknown senders being clicked, some Darcula messages instruct recipients to reply with a short confirmation such as “Y” or “1” and then reopen the conversation, which makes the embedded URL clickable.[1][2]

The phishing infrastructure incorporates anti-analysis and anti-takedown techniques. Investigations have found that many Darcula phishing sites are hosted on purpose-registered domains that display an innocuous “domain for sale” or holding page on the front path, with the phishing content served instead from a secondary path such as <code>/track</code>.[1][2]

References

  1. 1.0 1.1 1.2 1.3 1.4 1.5 "Darcula Phishing Network Leveraging RCS and iMessage to Evade Detection". https://thehackernews.com/2024/03/darcula-phishing-network-leveraging-rcs.html. 
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 Toulas, Bill (27 March 2024). "New Darcula phishing service targets iPhone users via iMessage". https://www.bleepingcomputer.com/news/security/new-darcula-phishing-service-targets-iphone-users-via-imessage/. 
  3. 3.0 3.1 Leyden, John (27 March 2024). "'Darcula' Phishing-as-a-Service Operation Bleeds Victims Worldwide". https://www.darkreading.com/endpoint-security/-darcula-phishing-as-a-service-operation-bleeds-victims-worldwide. 
  4. "Inside the Scam Network". https://www.nrk.no/dokumentar/xl/inside-the-scam-network-1.17399135. 
  5. "The Chinese Scammers Behind the Fake DHL Messages". https://www.br.de/nachrichten/deutschland-welt/the-chinese-scammers-behind-the-fake-dhl-messages,Uk3eWOB. 
  6. 6.0 6.1 "« Votre colis n'a pas pu être livré » : enquête sur les arnaques à la carte bancaire par SMS". https://www.lemonde.fr/pixels/article/2025/05/04/votre-colis-n-a-pas-pu-etre-livre-enquete-sur-les-arnaques-a-la-carte-bancaire-par-sms_6602832_4408996.html. 
  7. "Exposing Darcula: a rare look behind the scenes of a global Phishing-as-a-Service operation". https://www.mnemonic.io/resources/blog/exposing-darcula-a-rare-look-behind-the-scenes-of-a-global-phishing-as-a-service-operation/. 
  8. "The Hunt for Darcula". https://www.nrk.no/dokumentar/xl/the-hunt-for-darcula-1.17399157. 



Retrieved from "https://handwiki.org/wiki/index.php?title=Software:Darcula&oldid=4221945"