Darcula

Darcula is a phishing-as-a-service (PhaaS) platform used in large-scale smishing and phishing campaigns. Reporting describes it as a prominent Chinese-language phishing operation, also referred to as Magic Cat in some tracking, and links it to a broader China-based smishing ecosystem associated with the activity cluster known as Smishing Triad. PRODAFT attributes the kit to threat actor LARVA-246 and reports it is advertised via the Telegram channel "xxhcvv / darcula_channel." Darcula has been observed using Apple iMessage, RCS, Google Messages, and other messaging platforms to distribute phishing lures, often impersonating postal services such as USPS, and Google previously assessed Darcula or Magic Cat as accounting for 80% of phishing texts in the United States.

Darcula provides automated phishing page generation and website cloning capabilities. It can generate phishing pages from a supplied legitimate URL with matching HTML and CSS layouts, and later updates allowed customers to clone any brand’s legitimate website to create a phishing version. In 2025, operators added generative AI features that enable creation of customized, multi-language phishing forms, including form generation, field customization, and translation into local languages without coding skills. Google’s reporting on the related ecosystem also describes AI-assisted workflows in which generated code can be converted into fully functioning scam websites, lowering the barrier for low-skill operators.

The platform is associated with financially motivated credential theft and payment fraud. Supporting reporting states that phishing pages seek credit card data, account credentials, one-time passcodes, and other personal information; some campaigns use fake MFA pages and real-time operator interaction to capture authentication codes and bypass multifactor authentication. Stolen payment information has been used to provision cards into digital wallets for unauthorized purchases, and compromised brokerage credentials have been used in stock-manipulation-related fraud. Darcula is described as globally targeting individuals through mobile-focused phishing, with lures localized across languages and regions.

Infrastructure and scale indicators directly mentioned in the content include Netcraft’s disruption metrics since March 2024: more than 25,000 Darcula pages taken down, nearly 31,000 associated IP addresses blocked, and over 90,000 phishing domains flagged. Additional reporting tied to the broader operation states that more than 1.59 million malicious URLs were detected over a five-month period and that millions of phishing messages were observed on Google Messages. Darcula also reportedly shares identical features and templates with another PhaaS platform called Lucid, and Netcraft assesses Darcula, Lucid, and Lighthouse as part of a loosely connected cybercrime ecosystem.