The cybercriminals behind the Darcula phishing-as-a-service (PhaaS) platform have introduced a powerful update to their toolkit, incorporating generative artificial intelligence (GenAI) features. This upgrade significantly lowers the technical barriers for attackers, enabling even those with limited technical skills to launch highly customized phishing campaigns in minutes.
According to a report from Netcraft shared with The Hacker News, the new AI-assisted tools amplify the threat potential of Darcula, streamlining the creation of phishing pages. With multi-language support and automatic form generation, attackers can now easily clone legitimate websites and tailor them to their scams — all without any coding knowledge required.
What Makes Darcula More Dangerous?
First documented by cybersecurity experts in March 2024, Darcula was initially recognized for using smishing (SMS phishing) campaigns to trick users into clicking malicious links. These links typically masquerade as communications from postal services like USPS. Darcula’s ability to disguise itself as trusted entities made it a powerful tool for financially motivated cybercrime.
In a move that significantly upgraded its capabilities, Darcula’s operators began experimenting with a feature that allows users to replicate any legitimate website. This update, released in 2025, helps attackers quickly set up phishing sites that mirror well-known brands, creating an even more convincing scam.
The latest update, rolled out on April 23, 2025, brings GenAI integration into Darcula, allowing cybercriminals to generate phishing forms more easily. These forms can be customized and translated into local languages, making them even more effective in targeting global victims.
The GenAI-powered tools can now automatically generate various phishing forms based on input from the attacker, allowing the rapid deployment of customized scams. These tools also support multi-language capabilities, ensuring that attackers can create phishing pages that resonate with victims in different countries.
“Now, even novice cybercriminals with no programming skills can craft personalized phishing pages and launch them at scale in a matter of minutes,” said Harry Everett, a security researcher from Netcraft.
The Cybercrime Ecosystem Behind Darcula
The Darcula PhaaS platform is operated by a threat actor codenamed LARVA-246 and is marketed through a Telegram channel called xxhcvv / darcula_channel. Its features and templates closely resemble those of another PhaaS known as Lucid, and it is believed that both platforms, along with another service called Lighthouse, are part of a loosely connected cybercrime ecosystem.
This ecosystem, primarily based out of China, supports a variety of financially motivated scams, including those conducted by the Smishing Triad, a cluster of cybercriminals known for mass-targeting individuals with SMS phishing attacks globally.
What distinguishes Darcula from other phishing kits is its ease of use. The platform’s ability to allow users with minimal technical expertise to launch complex phishing campaigns sets it apart from traditional toolkits that require more advanced hacking skills.
Since its initial appearance in 2024, Darcula has been responsible for a significant number of phishing attacks. Netcraft, which has been actively tracking the platform, reported that it has taken down over 25,000 Darcula phishing pages, blocked nearly 31,000 IP addresses, and flagged more than 90,000 phishing domains associated with the platform.
These figures underscore the sheer scale of Darcula’s impact, with the platform enabling criminals to carry out large-scale phishing campaigns targeting users around the world.
What Does This Mean for Cybersecurity?
The integration of GenAI into phishing toolkits like Darcula represents a dangerous evolution in the cybercrime landscape. It marks a shift toward more sophisticated, accessible, and customizable phishing attacks. With these updates, even low-skilled attackers can now conduct highly effective phishing campaigns, posing a serious threat to organizations and individuals alike.
As phishing tactics continue to evolve, cybersecurity professionals must stay vigilant, adopting advanced detection systems that can identify and block these increasingly sophisticated threats. Moreover, the rise of platforms like Darcula serves as a reminder of the growing need for global collaboration in the fight against cybercrime.
