The threat actors behind the Darcula phishing-as-a-service ( PhaaS ) platform appear to be working on a new version that makes it easier for cyber criminals and prospective customers to clone any brand’s legitimate website and create a phishing version, further reducing the technical expertise needed to carry out phishing attacks at scale.
In a recent study, Netcraft stated that the most recent incarnation of the hacking suite “represents a major shift in legal capabilities, lowering the barrier to entry for bad actors to target any brand with complex, personalized phishing campaigns.”
The security company said it has detected and blocked more than 95, 000 new Darcula hacking domains, almost 31, 000 IP addresses, and taken down more than 20, 000 fraudulent websites since it was in late March 2024.
The biggest addition to Darcula is the potential for any person to create a hacking system for any brand in an on-demand manner.
” The new and enhanced edition is now available for testing”, the main programmers behind the company said in a post made on January 19, 2025, in a Telegram channel that has over 1, 200 subscribers.
” Now, you can also customize the front-end yourself. Using darcula-suite, you can complete the production of a front-end in 10 minutes”.
All a customer needs to do is enter the brand’s URL in a web interface, and the platform will export the HTML and all necessary assets using a browser-automation tool like Puppeteer.
Users can then choose the HTML element to replace the phishing content ( such as login fields and payment forms ) so that it resembles the branded landing page’s design and feel. An admin panel is then given access to the generated phishing page.
” Like any Software-as-a-Service product, the darcula-suite PhaaS platform provides admin dashboards that make it simple for fraudsters to manage their various campaigns”, security researcher Harry Freeborough said.
” Once generated, these kits are uploaded to another platform where criminals can manage their active campaigns, find extracted data, and monitor their deployed phishing campaigns”.
Darcula v3 goes a step further by enabling the conversion of the stolen credit card details into a virtual image of the victim’s card that can be for illicit purposes in addition to the dashboards that highlight the aggregated performance statistics of the phishing campaigns. Specifically, the cards are loaded onto burner phones and sold to other criminals.
The tool is reportedly in internal testing at the moment. In a follow-up post dated February 10, 2025, the malware author posted the message:” I have been busy these days, so the v3 update will be postponed for a few days”.