Darcula

Darcula is a Chinese-language phishing-as-a-service (PhaaS) platform used to run large-scale SMS phishing (smishing) campaigns against mobile phone users, including organizations (government, airlines) and services (postal, financial) worldwide.^[1][2] Darcula offers to cybercriminals more than 20,000 counterfeit domains (to spoof brands) and over 200 templates.^[1][2] Darcula uses iMessage and RCS (Rich Communication Services) to steal credentials from Android and iPhone users.^[3]

In May 2025, the Norwegian Broadcasting Corporation (NRK) in collaboration with BR, Le Monde, and the Norwegian cybersecurity company mnemonic reported on Darcula.^[4][5][6][7] They reported that the group was able to steal a total of 884,000 credit cards from victims during a period of seven months between 2023 and 2024. They also claim that the software used by the group, Magic Cat, was developed by Yucheng C., a 24-year old man from Henan, China.^[8]

Operation

Darcula operates as a subscription-based PhaaS platform. Customers pay a monthly fee for access to Magic Cat, which provides an administrative panel, ready-made phishing templates and tooling to manage campaigns and stolen data.^[3][2]

Campaigns sent through Darcula typically begin with a text message claiming that a package cannot be delivered, that customs or toll fees are outstanding, or that another urgent payment is required.^[6] Victims are directed to a phishing page that closely resembles the targeted brand’s website and are asked to provide personal details and payment-card information, which is relayed to operators in real time via the Magic Cat backend.^[2]

Unlike many previous smishing operations, Darcula relies heavily on Apple iMessage and the RCS protocol in Google Messages instead of traditional SMS.^[1][2] Using encrypted messaging channels allows the platform’s messages to bypass SMS firewalls and some mobile carrier filtering, while avoiding per-SMS charges that would normally apply to large campaigns.^[1][2] To work around iMessage safeguards that prevent links from unknown senders being clicked, some Darcula messages instruct recipients to reply with a short confirmation such as “Y” or “1” and then reopen the conversation, which makes the embedded URL clickable.^[1][2]

The phishing infrastructure incorporates anti-analysis and anti-takedown techniques. Investigations have found that many Darcula phishing sites are hosted on purpose-registered domains that display an innocuous “domain for sale” or holding page on the front path, with the phishing content served instead from a secondary path such as <code>/track</code>.^[1][2]