Darcula Phishing Kit Adds AI Capabilities, Lowering Barriers for Cybercriminals

Darcula adds AI to its DIY phishing kits

Because coding phishing sites from scratch is a real pain in the neck Darcula, a cybercrime outfit that offers a phishing-as-a-service kit to other criminals, this week added AI capabilities to its kit that help would-be vampires spin up phishing sites in multiple languages more efficiently. Netcraft security researchers spotted the update on April 23 along with a demo video showing a cloned Google homepage and an attacker using the AI to generate a phishing form in Chinese, then add more fields and translate it into English. It's not impossible to do the same by hand, but the automation makes it a little easier and faster. Youtube Video First noted by researchers in 2023, the so-called Darcula suite (not a typo) is a phishing kit with pre-built templates that make it easy for users with no technical skills to impersonate the website of any brand - users simply provide a URL for any legitimate brand or service, and Darcula's code downloads all of the assets from the legit website and creates a version that can be edited. Subscribers can then inject phishing forms or credential captures into the cloned website, which looks just like the original. Plus, the phishing service uses iMessage and RCS rather than SMS to send text messages, which means the messages can bypass SMS firewalls. This addition lowers the technical barrier for creating phishing pages Researchers say the new AI features take it up a notch by making it simple to generate phishing forms in any language and translating them for new locations. It also offers new tools for customizing input forms, and does a better job of maintaining the original site's layout and visual styling with minimal input, according to Netcraft. "This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes," Netcraft analyst Harry Everett said in a Thursday report. "Darcula has continued to evolve into a sophisticated, subscription-based ecosystem with tooling and speed that rivals modern tech startups," Everett wrote. The Chinese-language phishing service was first documented by security researcher Oshri Kalfon in July 2023, and Netcraft began tracking Dracula in March 2024. At the time, the security shop warned that the operation had more than 20,000 phony domains that its subscribers could use to deploy branded phishing attacks at scale. In 2024, its operators boasted of having more than 200 phishing templates that mimicked a range of well-known brands in more than 100 countries. Darcula got an upgrade earlier this year when its operators released version 3.0, which allowed criminals to create custom phishing templates for any brand rather than using the pre-built ones. "This customization enabled attackers to target niche and regional brands that had rarely been the target of phishing kits due to low awareness and reduced ROI," Netcraft said in February. Automated tools may be one reason why FBI's most recent Internet Crime Complaint Center (IC3) report lists phishing and spoofing as the most frequently reported cybercrime last year. The IC3 logged 193,407 complaints from victims at a cost of more than $70 million. ®

Darcula Adds GenAI to Phishing Toolkit, Lowering the Barrier for Cybercriminals

The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities. "This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes," Netcraft said in a new report shared with The Hacker News. "The new AI-assisted features amplify Darcula's threat potential by simplifying the process to build tailored phishing pages with multi-language support and form generation -- all without any programming knowledge." Darcula was first documented by the cybersecurity company in March 2024 as a toolkit that leveraged Apple iMessage and RCS to send smishing messages to users that trick recipients into clicking on bogus links under the guise of postal services like USPS. Earlier this year, the operators of Darcula PhaaS began testing a major update that enabled customers to clone any brand's legitimate website and create a phishing version. The phishing kit, per PRODAFT, is the work of a threat actor codenamed LARVA-246, and is advertised for sale via a Telegram channel named xxhcvv / darcula_channel. It shares identical features and templates with another PhaaS referred to as Lucid. Darcula, Lucid, and Lighthouse are assessed to be part of a loosely connected cybercrime ecosystem flourishing out of China, enabling threat actors to pull off various financially motivated scams such as those perpetrated by an activity cluster dubbed Smishing Triad. "Darcula is one of several communities under the loosely affiliated Smishing-Triad, known for mass-targeting individuals globally via SMS-based phishing (smishing) attacks," Netcraft said. What makes Darcula compelling is that it makes it possible for threat actors with little to no technical expertise to easily craft phishing pages and conduct campaigns at scale. The latest improvement to the phishing kit, announced on April 23, 2025, takes the form of GenAI integration that facilitates phishing form generation in various languages, form field customisation, and translation of phishing forms into local languages. The cybersecurity company said it has taken down more than 25,000 Darcula pages, blocked nearly 31,000 IP addresses, and flagged over 90,000 phishing domains since March 2024. "This kind of flexibility means a novice attacker can now build and deploy a customized phishing site in minutes," security researcher Harry Everett said.