Skip Navigation

April 1, 2024 |

‘Darcula’ phishing service targeting Android and iPhone users

Loading table of contents...

A phishing as a service (PhaaS) operation known as ‘Darcula’ has been attributed to several high-profile incidents against organizations in various industries, such as finance, government, telecommunication, transportation, and utility.

Darcula allows subscribers to choose from over 200 templates to create phishing landing pages that closely impersonate popular brands from more than 100 countries.

Once the target brand is chosen, a setup script configures and installs the phishing site and its corresponding management console in a Docker environment.

Image 1: Templates for phishing landing pages

Darcula typically uses “.top” and “.com” top-level domains (TLD) for the phishing domains, one-third of which are protected by Cloudflare, likely to prevent automated scanning by security researchers. Security researchers have mapped 20,000 Darcula domains across 11,000 IP addresses, with 120 new domains added daily.

What differentiates Darcula from other PhaaS operations is its use of Rich Communication Services (RCS) protocol to send phishing messages via Google Message and iMessage instead of SMS. This technique makes it more likely that recipients perceive the communication as legitimate, as these protocols have additional safeguards that SMS does not.

Additionally, RCS and iMessage support end-to-end encryption, making it impossible to intercept and block phishing messages based on their content.

Darcula overcomes security restrictions in these protocols by carefully wording the phishing messages. For example, Darcula encourages recipients to reply with a ‘Y’ or ‘1’ and then reopen the message to follow a link that Apple blocks until the recipient responds to the message.

Image 2: Darcula phishing text instructing recipients how to respond

Darcula also uses multiple Apple IDs and device farms so that no single ID or device sends so many messages as to trigger Apple’s message limit.

Source: Bleeping Computer


Given that mobile phones and text messaging are so integrated into daily life, it makes sense that threat actors will continue to develop more effective and efficient methods to compromise them. PhaaS, such as Darcula, make it easier for less technical threat actors to get into the phishing game, as all the difficult technical work has already been done.

Fortunately, mobile phone makers such as Google and Apple are aware of these attacks and continuously improve the security of their devices to mitigate the risk PhaaS operations, such as Darcula, pose.


Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for new tactics, techniques, and procedures used by threat actors including the Darcula PhaaS.

Users are encouraged to scrutinize unsolicited messages or emails that urge the recipient to click on URLs, especially if the sender is not recognized. Often, poor grammar, spelling errors, overly attractive offers, or calls to urgent actions are signs of malicious intent.

Covalence users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) for analysis before clicking on any links or opening attachments.

Related articles