Darcula Phishing Kit Uses AI to Evade Detection, Experts Warn

Darcula phishing platform adds AI to create multilingual scam pages easily. Netcraft warns of rising risks from Darcula-Suite upgrade.

Cybersecurity researchers at Netcraft’s threat intelligence division have revealed that cybercriminals behind the phishing-as-a-service (PhaaS) platform Darcula have introduced a new upgrade to its toolkit, called Darcula-Suite. This update integrates artificial intelligence to enhance the capabilities of this already widely used phishing kit.

According to Netcraft’s report shared with Hackread.com, in early 2025, Netcraft identified Darcula version 3, which introduced a redesigned admin dashboard and Darcula-Suite desktop application. This allowed users to create custom phishing kits, even without coding or web development skills.

The tool automatically copies a website URL, allowing attackers to target uncommon brands. This customization makes traditional detection methods less effective, Netcraft’s researchers noted, requiring dynamic, behaviour-based security approaches to counter this issue.

On April 23rd, Netcraft detected the integration of generative AI into Darcula-Suite, allowing users to generate phishing forms in any language, customize form fields, and automatically translate entire forms while maintaining the original layout.

This incorporation of AI technology is a game-changer because it significantly lowers the technical skills needed to create convincing fake websites designed to steal sensitive information.

Now, even individuals with limited technical knowledge can quickly develop customized scam pages with support for multiple languages and automatically generated forms, all without requiring any programming expertise.

It is worth noting that Netcraft had previously reported on Darcula’s platform, which is used for widespread and targeted smishing attacks, in March 2024 and February 2025. Over time, Darcula has evolved into a sophisticated, subscription-based system that offers tools and speed comparable to modern tech startups.

Darcula platform is operated by Smishing-Triad, a notorious Chinese cybercrime group known for carrying out mass-targeting attacks globally through SMS-based phishing, or “SMSishing.” Last year, Hackread.com reported Smishing Triad targeting online banking, e-commerce, and payment systems in the US, EU, UAE, KSA, and smartphone users in Pakistan.

Darcula is a service model designed for expansion. It offers users tools to imitate organizations in various countries, built using modern technologies like JavaScript frameworks, Docker, and Harbor, mirroring the setup of legit SaaS (software-as-a-service) firms. Operators use SMS, RCS (Rich Communication Services), and iMessage to spread phishing attempts, using advanced tactics like making links clickable on iOS devices to trick recipients into responding.

Netcraft has taken significant action against Darcula since March 2024, removing over 25,000 fake websites, blocking nearly 31,000 IP addresses, and detecting over 90,000 phishing domains. They predict the AI-enhanced Darcula-Suite will become more popular among cybercriminals.

To protect against this threat, Netcraft advises caution with messages in RCS groups, scepticism towards unknown numbers on RCS or iMessage, and caution when visiting less familiar websites.