Darcula adds AI to its DIY phishing kits • The Register
Darcula, a cybercrime outfit that offers a phishing-as-a-service kit to other criminals, this week added AI capabilities to its kit that help would-be vampires spin up phishing sites in multiple languages more efficiently.
Netcraft security researchers spotted the update on April 23 along with a demo video showing a cloned Google homepage and an attacker using the AI to generate a phishing form in Chinese, then add more fields and translate it into English. It’s not impossible to do the same by hand, but the automation makes it a little easier and faster.
First noted by researchers in 2023, the so-called Darcula suite (not a typo) is a phishing kit with pre-built templates that make it easy for users with no technical skills to impersonate the website of any brand – users simply provide a URL for any legitimate brand or service, and Darcula’s code downloads all of the assets from the legit website and creates a version that can be edited. Subscribers can then inject phishing forms or credential captures into the cloned website, which looks just like the original.
Plus, the phishing service uses iMessage and RCS rather than SMS to send text messages, which means the messages can bypass SMS firewalls.
This addition lowers the technical barrier for creating phishing pages
Researchers say the new AI features take it up a notch by making it simple to generate phishing forms in any language and translating them for new locations. It also offers new tools for customizing input forms, and does a better job of maintaining the original site’s layout and visual styling with minimal input, according to Netcraft.
“This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes,” Netcraft analyst Harry Everett said in a Thursday report.
“Darcula has continued to evolve into a sophisticated, subscription-based ecosystem with tooling and speed that rivals modern tech startups,” Everett wrote.
The Chinese-language phishing service was first documented by security researcher Oshri Kalfon in July 2023, and Netcraft began tracking Dracula in March 2024.
At the time, the security shop warned that the operation had more than 20,000 phony domains that its subscribers could use to deploy branded phishing attacks at scale. In 2024, its operators boasted of having more than 200 phishing templates that mimicked a range of well-known brands in more than 100 countries.
Darcula got an upgrade earlier this year when its operators released version 3.0, which allowed criminals to create custom phishing templates for any brand rather than using the pre-built ones.
“This customization enabled attackers to target niche and regional brands that had rarely been the target of phishing kits due to low awareness and reduced ROI,” Netcraft said in February.
Automated tools may be one reason why FBI’s most recent Internet Crime Complaint Center (IC3) report lists phishing and spoofing as the most frequently reported cybercrime last year. The IC3 logged 193,407 complaints from victims at a cost of more than $70 million. ®
