Now even inexperienced criminals can clone any website with just a few clicks.
The Darcula platform, used by cybercriminals for mass phishing campaigns, has received an update with generative artificial intelligence (GenAI) support. Creating fraudulent pages has become even easier – even users without technical skills can generate personalized forms and counterfeit company websites in just minutes.
Darcula first appeared on researchers' radars in March 2024 as a phishing service utilizing iMessage and RCS to send fake notifications supposedly from postal services. At that time, the toolset allowed criminals to deceive users by redirecting them to counterfeit links. However, with the introduction of GenAI, the situation has escalated to a new level: now criminals can not only clone the external appearance of brand websites, but also adapt forms to the required language and region without the need for programming.
Netcraft’s report emphasizes that these new capabilities pave the way for phishing even for those who previously lacked the necessary knowledge. The ability to generate multilingual forms and automatically customize them for specific victims allows for faster and more accurate attacks. All of this makes Darcula particularly dangerous in the hands of mass phishing distributors like the Smishing Triad group, which operates on a global scale.
The Dark Side of Technology
Recent research by PRODAFT points out that Darcula was created by a criminal under the pseudonym LARVA-246, and the platform is promoted through a Telegram channel called xxhcvv / darcula_channel. The functionality of Darcula overlaps with other well-known phishing constructors such as Lucid and Lighthouse. All of them are considered part of a large Chinese cybercrime cluster united by a common goal — simplifying and scaling phishing.
In addition to creating and cloning websites, the system allows for easy setup of form fields, translation into the desired language, and rapid deployment of phishing campaigns. This accessibility makes Darcula the perfect tool for novice criminals, which sharply increases the number of potential attacks.
Since March 2024, analysts have already removed over 25,000 pages created using Darcula, blocked about 31,000 IP addresses, and discovered more than 90,000 domains associated with its activity. Despite extensive efforts to neutralize it, Darcula continues to evolve and become more accessible.
The latest update was officially released on April 23, 2025, and immediately raised concerns among experts. The ability to launch full phishing pages in just a few minutes is now available to almost anyone — all that’s left is to choose a target and click the generation button.