The creators of the Darcula phishing-as-a-service (PhaaS) platform have reportedly developed a new version that enables users to clone any legitimate brand’s website in a matter of minutes, further lowering the technical skills required for large-scale phishing attacks.
The updated version of the platform marks a major change in criminal capabilities, making it easier for cybercriminals to launch complex, customized phishing campaigns targeting any brand. This was highlighted by Netcraft in a recent analysis.
According to Netcraft, more than 95,000 phishing domains related to Darcula have been detected and blocked, and over 31,000 IP addresses have been flagged. Since its discovery in late March 2024, over 20,000 fraudulent websites have been taken down.
One of the most significant updates in Darcula is the feature that allows anyone to create a phishing kit for any brand on demand. This change makes it even easier for fraudsters to deploy targeted phishing campaigns without needing technical expertise.
The platform’s developers recently announced in a Telegram channel (with over 1,200 subscribers) that the new version of Darcula is now ready for testing. A post from January 19, 2025, detailed that users can now customize the phishing page’s front end in just 10 minutes using the darcula-suite.
To generate the phishing page, users simply input the URL of the brand they wish to imitate. The platform uses automation tools like Puppeteer to extract the HTML and other necessary assets. From there, the user can modify HTML elements and insert phishing content, such as login fields or payment forms, to mirror the targeted brand’s website. The fake page is then uploaded to an admin panel.
“Similar to other Software-as-a-Service products, Darcula’s admin dashboard allows fraudsters to easily manage their campaigns,” said security expert Harry Freeborough.
Once the phishing kit is generated, cybercriminals can upload it to another platform to track their campaigns, extract data, and monitor their attacks. In addition to campaign statistics, Darcula v3 includes features that allow criminals to convert stolen credit card information into virtual images of the victims’ cards. These virtual cards can be added to digital wallets and used for illicit purposes, often sold to other criminals or loaded onto burner phones.
As of February 10, 2025, the update is still undergoing internal testing. The malware developer mentioned in a follow-up post that due to personal time constraints, the release of the new version may be delayed for a few days.
