Darcula Phishing Service Targets iPhones

In a recently published article by Netcraft, a new Phishing-as-a-Service (PhaaS) platform targeting iPhones via the iMessage application has been discovered.

Named Darcula, the platform uses 20,000 domains to spoof brands and steal credentials from Android and iPhone users in more than 100 countries.

Darcula Phishing Service Targets iPhones

Based on Netcraft's research and telemetry, the PhaaS has been used against various services and organizations, from postal, financial, government, and taxation departments to telcos, airlines, and utilities, offering fraudsters over 200 templates to choose from.

The malware developers have forgone the widespread use of SMS messages to target Rich Communication Services (RCS) protocol for Google Messages and iMessage to distribute phishing messages.

The targeting of RCS services is likely done to bypass SMS controls set up by telecommunications companies and others to prevent phishing attacks from reaching the end user.

Oshri Kalfon initially discovered Darcula in July 2023, but since then, the service offered to hackers willing to pay for its use has risen in popularity.

The malware and service have also forgone the use of PHP to power the malicious actions of others, preferring to go with tech stacks commonly used by startups, including JavaScript, React, Docker, and Harbor.

Adopting these technologies allows for updates to be made quickly without forcing paying customers to install new phishing kits in the future. This is undoubtedly a convenient selling point, contributing to the service's popularity.

This rise in popularity can be seen in the increase in high-profile attacks, where Darcula was a cornerstone of the campaign.

Netcraft notes,

The darcula platform has been used for numerous high-profile phishing attacks over the last year, including messages received on both Apple and Android devices in the UK, as well as package scams impersonating United States Postal Service (USPS) highlighted in numerous posts on Reddit’s /r/phishing…Those operating sites using darcula frequently distribute their URLs via RCS and iMessage. These messages are free to send, leverage consumer trust (many iPhone users will be used to blue messages only from known contacts), and evade some filters put in place by network operators, which often prevent scam SMS messages from being delivered to potential victims.

A Deeper Dive

Based on available research, Darcula is a Chinese language PhaaS developed by a Telegram user of the same name. As mentioned above, due to the developer's knowledge of current tech stacks, the service and malware can be updated far more quickly than phishing kits that have gone before.

For example, a recent Darcula update changed the kit to make the malicious content available through a specific URL path rather than the front page to better disguise the attack's location. For a phishing kit reliant on PHP, the service's customer would need to uninstall the current kit and then reinstall the updated kit.

In uncovering Darcula's domain creation tactics and techniques, it was noted,

darcula phishing attacks typically use purpose-registered domains rather than those that have been compromised, usually spoofing the relevant brand name. The most common top-level domains (TLDs) used for darcula are .top and .com, followed by numerous low-cost generic TLDs. Cloudflare’s platform is used by 32% of darcula pages, with Cloudflare’s services being recommended by darcula’s own documentation to avoid exposing the underlying server’s IP address. Tencent, Quadranet, and Multacom are also common choices…In total, Netcraft has detected more than 20,000 darcula-related domains across 11,000 IP addresses, which target 100+ brands. Since the start of 2024, Netcraft has detected an average of 120 new domains hosting darcula phishing pages each day.


On the front page, darcula sites display a fake domain for sale/holding page, likely as a form of cloaking to disrupt takedown efforts. In previous iterations, darcula’s anti-monitoring mechanism would redirect visitors that are believed to be bots (rather than potential victims) to Google searches for various cat breeds. darcula is cat-themed, with a cat as its Telegram channel image, the administration panel previously being labeled with a cat image, and infrastructure domains such as magic-cat[.]net.

While this is certainly interesting and important information for anyone looking to defend against such attacks, it is the abuse of RCS services. RCS was initially developed to be a more secure form of messaging than previous SMS technology.

However, pieces of legislation like the Federal Communications Commission has recently introduced laws that "require mobile wireless providers to block certain robotext messages that are highly likely to be illegal," while, in Singapore, the SMS Sender ID Registry (SSIR) initiative (which went live in January this year) has been introduced to tackle "unsolicited and fraudulent SMS messages," have hampered cyber criminals and scammers.

Often, users are under the false impression that services like iMessage, which use end-to-end encryption, prevent any abuse by threat actors. In certain circumstances, it also allows criminals to evade the filtering required by this legislation by making the content of messages impossible for network operators to examine.

Detecting malicious messages then falls to Google or Apple, as well as third-party anti-spam products a user might have installed.

To help mitigate against such threats, it is advised that users be highly skeptical of any links sent to you from unrecognized senders. Look for inaccurate grammar, spelling errors, and offers that are too good to be true.

Messages that in some form require urgent action should also be treated with skepticism. Lastly, if you are expecting a message from an organization, navigate to their official website and avoid following links.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal