Darcula phishing kit upgrades with AI to boost scam reach and ease

A cybercrime group known as Darcula has recently upgraded its phishing-as-a-service kit to incorporate artificial intelligence (AI) capabilities, enhancing the efficiency and reach of its phishing operations. Security researchers at Netcraft discovered the update on 23 April, alongside a demonstration video featuring a cloned Google homepage where the AI was used to swiftly generate a phishing form in Chinese, then expand it with additional fields and translate it into English.

Darcula, first identified by researchers in 2023, is a phishing toolkit designed to facilitate users with little to no technical expertise in impersonating legitimate business websites. The suite allows users to input the URL of a legitimate brand or service, after which the tool automatically downloads the authentic website’s assets and creates an editable clone. This cloned site forms the basis of phishing attacks, where users inject malicious forms or fields to capture credentials while maintaining the look and feel of the original site.

One distinctive feature of Darcula’s service is its use of iMessage and Rich Communication Services (RCS) to distribute phishing messages instead of traditional SMS. This approach helps circumvent SMS firewalls, making the phishing attempts more likely to reach potential victims.

Netcraft’s analysis highlights that the AI enhancements significantly reduce the technical skills needed to produce convincing phishing pages, enabling criminals to customise and deploy scams quickly across multiple languages and regions. The AI not only assists with form creation and translation but also preserves the original site's visual styling with minimal manual input.

Netcraft analyst Harry Everett commented in a report released on Thursday, “This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customised scams in minutes.” Everett further compared the sophistication and agility of Darcula’s subscription-based service to that of modern technology startups.

Darcula was originally identified as a Chinese-language phishing service by security researcher Oshri Kalfon in July 2023. Netcraft began tracking the toolkit extensively from March 2024, at which point the operation was known to maintain over 20,000 fake domains for its subscribers to carry out branded phishing attacks on a large scale. By 2024, the operators claimed to have amassed more than 200 phishing templates mimicking well-known brands spanning over 100 countries.

Earlier this year, Darcula’s developers released version 3.0, adding the ability for users to create bespoke phishing templates targeting any brand. Netcraft noted that this capability allowed criminals to focus on niche and regional brands that had previously seen little phishing activity due to lower awareness and returns on investment.

The rise in automated phishing tools such as Darcula may contribute to the surge in phishing-related crime. The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) indicated that phishing and spoofing were the most frequently reported types of cybercrime in the previous year, registering 193,407 complaints from victims. The financial losses reported in association with these crimes exceeded $70 million.

The Register is reporting on the evolving capabilities of Darcula, illustrating how cybercriminal ecosystems continue to develop sophisticated and scalable tools that facilitate the proliferation of phishing attacks globally.

Source: Noah Wire Services