The operators behind the Darcula phishing-as-a-service (PhaaS) platform are preparing to release a new version, enabling potential customers and cybercriminals to clone the legitimate website of any brand and create a phishing version. This development further reduces the technical expertise required to carry out large-scale phishing attacks.
The latest iteration of the phishing suite represents a significant shift in the capabilities of malicious actors, lowering the barrier to entry for them to target any brand using complex and customizable phishing campaigns, according to Netcraft’s analysis.
Since its initial exposure in late March 2024, the cybersecurity company has detected and blocked over 95,000 new Darcula phishing domains, nearly 31,000 IP addresses, and taken down more than 20,000 fraudulent websites.
The most significant change in Darcula is the ability for users to generate a phishing kit for any brand on demand.
In a post made on January 19, 2025, in a Telegram channel with over 1,200 subscribers, the core developers behind the service stated, “The new and remastered version is now ready for testing.”
They also mentioned, “Now, you can also customize the front-end yourself. Using darcula-suite, you can complete the production of a front-end in 10 minutes.”
To achieve this, a customer simply needs to provide the URL of the brand to be impersonated in a web interface. The platform utilizes a browser automation tool like Puppeteer to export the HTML and all necessary assets.
Users can then select the HTML element to replace and inject the phishing content, such as payment forms and login fields, to match the look and feel of the branded landing page. The generated phishing page is then uploaded to an admin panel.
According to security researcher Harry Freeborough, “Like any Software-as-a-Service product, the darcula-suite PhaaS platform provides admin dashboards that make it simple for fraudsters to manage their various campaigns.”
“Once generated, these kits are uploaded to another platform where criminals can manage their active campaigns, find extracted data, and monitor their deployed phishing campaigns.”
Besides featuring dashboards that highlight the aggregated performance statistics of the phishing campaigns, Darcula v3 offers a way to convert stolen credit card details into a virtual image of the victim’s card that can be scanned and added to a digital wallet for illicit purposes. The cards are loaded onto burner phones and sold to other criminals.
The tool is currently in the internal testing stage. In a follow-up post dated February 10, 2025, the malware author posted the message: “I have been busy these days, so the v3 update will be postponed for a few days.”
