Darcula

Last updated

Darcula is a Chinese-language phishing-as-a-service (PhaaS) platform used to run large-scale SMS phishing (smishing) campaigns against mobile phone users, including organizations (government, airlines) and services (postal, financial) worldwide. [1] [2] Darcula offers to cybercriminals more than 20,000 counterfeit domains (to spoof brands) and over 200 templates. [1] [2] Darcula uses iMessage and RCS (Rich Communication Services) to steal credentials from Android and iPhone users. [3]

In May 2025, the Norwegian Broadcasting Corporation (NRK) in collaboration with BR, Le Monde, and the Norwegian cybersecurity company mnemonic reported on Darcula. [4] [5] [6] [7] They reported that the group was able to steal a total of 884,000 credit cards from victims during a period of seven months between 2023 and 2024. They also claim that the software used by the group, Magic Cat, was developed by Yucheng C., a 24-year old man from Henan, China. [8]

Operation

Darcula operates as a subscription-based PhaaS platform. Customers pay a monthly fee for access to Magic Cat, which provides an administrative panel, ready-made phishing templates and tooling to manage campaigns and stolen data. [3] [2]

Campaigns sent through Darcula typically begin with a text message claiming that a package cannot be delivered, that customs or toll fees are outstanding, or that another urgent payment is required. [6] Victims are directed to a phishing page that closely resembles the targeted brand’s website and are asked to provide personal details and payment-card information, which is relayed to operators in real time via the Magic Cat backend. [2]

Unlike many previous smishing operations, Darcula relies heavily on Apple iMessage and the RCS protocol in Google Messages instead of traditional SMS. [1] [2] Using encrypted messaging channels allows the platform’s messages to bypass SMS firewalls and some mobile carrier filtering, while avoiding per-SMS charges that would normally apply to large campaigns. [1] [2] To work around iMessage safeguards that prevent links from unknown senders being clicked, some Darcula messages instruct recipients to reply with a short confirmation such as “Y” or “1” and then reopen the conversation, which makes the embedded URL clickable. [1] [2]

The phishing infrastructure incorporates anti-analysis and anti-takedown techniques. Investigations have found that many Darcula phishing sites are hosted on purpose-registered domains that display an innocuous “domain for sale” or holding page on the front path, with the phishing content served instead from a secondary path such as <code>/track</code>. [1] [2]

References

  1. 1 2 3 4 5 6 "Darcula Phishing Network Leveraging RCS and iMessage to Evade Detection". The Hacker News.
  2. 1 2 3 4 5 6 7 8 Toulas, Bill (27 March 2024). "New Darcula phishing service targets iPhone users via iMessage". BleepingComputer. Retrieved 17 November 2025.
  3. 1 2 Leyden, John (27 March 2024). "'Darcula' Phishing-as-a-Service Operation Bleeds Victims Worldwide". Dark Reading. Retrieved 23 November 2025.
  4. "Inside the Scam Network". nrk.no.
  5. "The Chinese Scammers Behind the Fake DHL Messages". br.de.
  6. 1 2  Votre colis n'a pas pu être livré » : enquête sur les arnaques à la carte bancaire par SMS". lemonde.fr.
  7. "Exposing Darcula: a rare look behind the scenes of a global Phishing-as-a-Service operation". mnemonic.io.
  8. "The Hunt for Darcula". nrk.no.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.