HQ/EMEAFind out how we can help your business
Darcula, a new sophisticated phishing-as-a-service (PhaaS) campaign, targets unsuspecting smartphone users globally. This new malicious campaign poses a significant threat to smartphone owners, especially iPhone users, as reports claim it has a network spanning over 20,000 domains and operations across more than 100 countries.
This detail made Darcula a prominent threat in the cybercriminal landscape. Based on reports, its increased utilisation in cybercriminal operations, including several high-profile cases, has raised concerns for various researchers.
Darcula differentiates itself from conventional phishing methods because it utilises modern technologies such as JavaScript, React, Docker, and Harbor. These solutions, stacked with one another, enable the service to offer continuous updates and new features seamlessly without requiring clients to reinstall phishing kits constantly.
The newly discovered Darcula PhaaS operation has a new tactic that makes it more threatening.
Darcula leverages the Rich Communication Services (RCS) protocol, explicitly targeting users of Google Messages and iMessage. This unique strategy separates the operation from traditional SMS-based phishing messages.
In addition, Darcula boasts an extensive arsenal of over 200 phishing templates, covering many brands and organisations worldwide. Threat actors meticulously crafted these templates to impersonate legitimate entities, with high-quality landing pages generated for specific locales and accurate language, logos, and content.
Furthermore, the campaign operates within a Docker environment with fraudsters selecting their desired brand to impersonate and executing a setup script that deploys the corresponding phishing site and its management dashboard.
The system also utilises open-source container registry Harbor for hosting Docker images, while the operators use developed phishing sites using React to ensure a seamless and responsive user experience.
Darcula PhaaS primarily utilises “.top” and “.com” top-level domains, with approximately one-third of these domains protected by Cloudflare to bypass detection and enhance credibility.
Researchers have identified over 20,000 Darcula domains across 11,000 IP addresses, with an alarming rate of 120 new domains added daily. These findings made this operation the most concerning threat in recent weeks.
Users must remain vigilant and employ competent cybersecurity measures to mitigate the risks of sophisticated phishing attacks like Darcula.
