= Darcula =

Darcula is a Chinese-language (PhaaS) platform used to run large-scale (smishing) campaigns against mobile phone users, including organizations (government, airlines) and services (postal, financial) worldwide.
Darcula offers to cybercriminals more than 20,000 counterfeit domains (to spoof brands) and over 200 templates.
Darcula uses iMessage and RCS (Rich Communication Services) to steal credentials from Android and iPhone users.

In May 2025, the Norwegian Broadcasting Corporation (NRK) in collaboration with BR, Le Monde, and the Norwegian cybersecurity company mnemonic reported on Darcula. They reported that the group was able to steal a total of 884,000 credit cards from victims during a period of seven months between 2023 and 2024. They also claim that the software used by the group, Magic Cat, was developed by Yucheng C., a 24-year old man from Henan, China.

== Operation ==
Darcula operates as a subscription-based PhaaS platform. Customers pay a monthly fee for access to Magic Cat, which provides an administrative panel, ready-made phishing templates and tooling to manage campaigns and stolen data.

Campaigns sent through Darcula typically begin with a text message claiming that a package cannot be delivered, that customs or toll fees are outstanding, or that another urgent payment is required. Victims are directed to a phishing page that closely resembles the targeted brand’s website and are asked to provide personal details and payment-card information, which is relayed to operators in real time via the Magic Cat backend.

Unlike many previous smishing operations, Darcula relies heavily on Apple iMessage and the RCS protocol in Google Messages instead of traditional SMS. Using encrypted messaging channels allows the platform’s messages to bypass SMS firewalls and some mobile carrier filtering, while avoiding per-SMS charges that would normally apply to large campaigns. To work around iMessage safeguards that prevent links from unknown senders being clicked, some Darcula messages instruct recipients to reply with a short confirmation such as “Y” or “1” and then reopen the conversation, which makes the embedded URL clickable.

The phishing infrastructure incorporates anti-analysis and anti-takedown techniques. Investigations have found that many Darcula phishing sites are hosted on purpose-registered domains that display an innocuous “domain for sale” or holding page on the front path, with the phishing content served instead from a secondary path such as .
