Darcula

Darcula is a Chinese-speaking, Chinese-language cybercriminal phishing-as-a-service (PhaaS) operation also referred to in the provided content as Magic Cat and the Smishing Triad. The group is associated with large-scale smishing and phishing campaigns distributed through SMS and modern messaging platforms including Apple iMessage and Google Messages. Google Threat Intelligence Group assessed that Darcula accounted for 80% of all phishing text messages in the United States during a peak period, and Google filed civil litigation to disrupt the group and seize its infrastructure. The lawsuit content names Chinese national Yucheng Chang as the group’s leader along with 24 other members. The operation provides phishing tooling that lowers the barrier for low-skill scammers. The content states Darcula used software called Magic Cat and a malicious suite called Outsider, with more than 290 prebuilt templates impersonating financial services providers, phone service providers, government agencies, retailers, USPS, IRS, E-ZPass, and other trusted entities. Darcula’s infrastructure has been linked to over 1.59 million malicious URLs observed between November 14, 2025 and April 14, 2026. The platform reportedly offered subscription access, customer support, tutorials, Telegram-based commercialization, dashboards with real-time victim metrics, and phishing pages capable of capturing credentials, payment card data, CVV values, personal information, one-time passwords, and MFA codes. The content also states Darcula added generative AI capabilities to facilitate phishing form generation in multiple languages, form customization, and translation into local languages. Google alleged the operation abused Gemini to generate and refine phishing websites and provided tutorials showing customers how to use Gemini prompts to create scam pages. The tooling allegedly enabled users with little or no technical knowledge to launch polished phishing sites at scale. Darcula has been used in campaigns targeting government organizations, airlines, postal services, and financial services in more than 100 countries. Group-IB observed infrastructure and characteristics associated with Darcula in global fake shipment tracking campaigns, although it did not definitively attribute that activity to a single actor. Reported tactics and techniques in the provided content include mass SMS smishing, impersonation of courier and government brands, mobile-optimized phishing pages, sender spoofing, use of counterfeit domains and typosquatted domains, embedded credential-harvesting scripts, persistent WebSocket connections, real-time keylogging, UUID-based victim session tracking, and theft of payment data for downstream fraud including digital wallet provisioning and unauthorized purchases.