Cybercriminals Can Now Clone Any Brand’s Site in Minutes Using Darcula PhaaS v3

Avatar
The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform appear to be readying a new version that allows prospective customers and cyber crooks to clone any brand’s legitimate website and create a phishing version, further bringing down the technical expertise required to pull off phishing attacks at scale. The latest iteration of the phishing suite “represents a significant

The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform appear to be readying a new version that allows prospective customers and cyber crooks to clone any brand’s legitimate website and create a phishing version, further bringing down the technical expertise required to pull off phishing attacks at scale.

The latest iteration of the phishing suite “represents a significant shift in criminal capabilities, reducing the barrier to entry for bad actors to target any brand with complex, customizable phishing campaigns,” Netcraft said in a new analysis.

The cybersecurity company said it has detected and blocked more than 95,000 new Darcula phishing domains, nearly 31,000 IP addresses, and taken down more than 20,000 fraudulent websites since it was first exposed in late March 2024.

The biggest change incorporated into Darcula is the ability for any user to generate a phishing kit for any brand in an on-demand fashion.

“The new and remastered version is now ready for testing,” the core developers behind the service said in a post made on January 19, 2025, in a Telegram channel that has over 1,200 subscribers.

“Now, you can also customize the front-end yourself. Using darcula-suite, you can complete the production of a front-end in 10 minutes.”

To do this, all a customer has to do is provide the URL of the brand to be impersonated in a web interface, with the platform employing a browser automation tool like Puppeteer to export the HTML and all required assets.

Users can then select the HTML element to replace and inject the phishing content (e.g., payment forms and login fields) such that it matches the look and feel of the branded landing page. The generated phishing page is then uploaded to an admin panel.

“Like any Software-as-a-Service product, the darcula-suite PhaaS platform provides admin dashboards that make it simple for fraudsters to manage their various campaigns,” security researcher Harry Freeborough said.

“Once generated, these kits are uploaded to another platform where criminals can manage their active campaigns, find extracted data, and monitor their deployed phishing campaigns.”

Besides featuring dashboards that highlight the aggregated performance statistics of the phishing campaigns, Darcula v3 goes a step further by offering a way to convert the stolen credit card details into a virtual image of the victim’s card that can be scanned and added to a digital wallet for illicit purposes. Specifically, the cards are loaded onto burner phones and sold to other criminals.

The tool is said to be currently in the internal testing stage. In a follow-up post dated February 10, 2025, the malware author posted the message: “I have been busy these days, so the v3 update will be postponed for a few days.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Webinar: Learn How to Identify High-Risk Identity Gaps and Slash Security Debt in 2025

Next Post

Black Basta is latest ransomware group to be hit by leak of chat logs

Related Posts

Palo Alto Networks Patches Authentication Bypass Exploit in PAN-OS Software

Palo Alto Networks has addressed a high-severity security flaw in its PAN-OS software that could result in an authentication bypass. The vulnerability, tracked as CVE-2025-0108, carries a CVSS score of 7.8 out of 10.0. The score, however, drops to 5.1 if access to the management interface is restricted to a jump box. "An authentication bypass in the Palo Alto Networks PAN-OS software enables an
Avatar
Read More

Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks

The threat actor known as Blind Eagle has been linked to a series of ongoing campaigns targeting Colombian institutions and government entities since November 2024. "The monitored campaigns targeted Colombian judicial institutions and other government or private organizations, with high infection rates," Check Point said in a new analysis. "More than 1,600 victims were affected during one of
Avatar
Read More