The threat actors behind the Darcula phishing-as-a-service ( ) platform have updated their cybercrime suite to include generative artificial intelligence ( GenAI ) capabilities.
In a recent statement shared with The Hacker News, Netcraft stated that” this contrast lowers the technical challenge for creating phishing pages,” making it possible for less-tech-savvy criminals to create customized scams right away.
” The new AI-assisted features increase Darcula’s threat ability by simplifying the process of creating custom phishing sites with support for multiple languages and form generation — all without any programming knowledge.”
Darcula was by the security firm in March 2024 as a kit that used Apple iphone and RCS to deliver smishing emails to people who eluded legitimate post services like USPS to click fake links.
The Darcula PhaaS developers started testing a significant update earlier this year that made it possible for users to copy any manufacturer’s reputable website and make a phishing version.
embedded content ]
The phishing system, per PRODAFT, was created by a danger actor with the name LARVA-246 and is available for purchase on a Telegram channel called xxhcvv / darcula_channel. It shares the same functions and designs as another PhaaS known as .
According to estimates, Darcula, Lucid, and Lighthouse belong to a lightly connected crime habitat that is expanding outside of China, enabling risk stars to carry out different scams funded by money, such as those carried out by a .
According to Netcraft,” Darcula is one of the loosely affiliated Smishing-Triad communities known for mass-targeting individuals worldwide via SMS-based phishing ( smishing ) attacks.”
Darcula is convincing because it enables threat actors to create phishing pages and scale-up campaigns with little to no technical training.
The most recent addition to the spoofing kit, which was announced on April 23, 2025, is GenAI integration, which enables form field customization, phishing form generation in several languages, and phishing form translation into local languages.
Since March 2024, the cybersecurity firm has flagged over 90, 000 hacking regions, blocked almost 31, 000 IP addresses, and taken down more than 25, 000 Darcula sites.
Safety researcher Harry Everett said,” This kind of versatility means a beginner attacker can now create and build a customized phishing site in minutes.”