Skip to content

Darcula phishing is targeting global orgs via RCS and iMessage

  • by
  • 3 min read

A new and highly sophisticated Phishing-as-a-Service (PhaaS) platform dubbed ‘darcula’ has emerged, posing a significant threat to organisations globally. The platform uses iMessage and Rich Communication Services (RCS) instead of SMS for text message-based phishing, better known as smishing attacks.

Operating primarily in Chinese, darcula leverages more than 20,000 phishing domains employing advanced techniques that go beyond traditional phishing methods.

Cybersecurity researchers from Netcraft have exposed this new tool. Unlike conventional PhaaS platforms that rely on PHP, darcula stands out by utilising cutting-edge technologies found in high-tech startups. These include JavaScript, React, Docker, and Harbor, allowing cybercriminals to craft highly convincing and targeted phishing campaigns.

The darcula platform, attributed to a Telegram user sharing the same moniker, operates as a cybercrime marketplace, providing a range of phishing templates targeting prominent brands worldwide.

Phishing landing pages. | Source: Netcraft

Its subscription-based model allows other criminals to easily deploy phishing sites tailored for specific brands, with constant updates.

The use of iMessage and RCS circumvents SMS firewalls, enabling darcula to effectively target organisations such as the United States Postal Service (USPS) and postal services worldwide, alongside established entities in over 100 countries. By leveraging these communication protocols, which offer enhanced security and encryption compared to SMS, darcula evades traditional filtering mechanisms and increases the credibility of its messages among recipients.

The platform’s modus operandi involves sending deceptive messages, often masquerading as missed package notifications, to lure users into divulging sensitive information like login credentials. These messages are meticulously designed to mimic communications from legitimate organisations exploiting the trust of unsuspecting recipients.

Phishing messages sent using darcula targeting iMessage users. | Source: Netcraft

Researchers discovered that over the past year, darcula has been used to orchestrate several high-profile phishing campaigns, including instances reporting in the UK targeting both Apple and Android users. The threat actors also impersonated a USPS employee.

To further enhance its stealth and longevity, darcula employs purpose-registred domains, often spoofing legitimate brand names, and utilises top-level domains (TLDs) like .com. The tool also uses various low-cost generic TLDs for this purpose.

The platform strategically employs services like Cloudflare, Tencent, Quadranet, and Multacom to obfuscate its infrastructure and evade detection.

Despite regulatory efforts to curd SMS-based cybercrime, darcula’s adoption of RCS and iMessage presents new challenges to cybersecurity experts, as these encrypted communication channels hinder traditional detection and mitigation measures. Researchers also discovered that criminals leveraging darcula’s services have also devised tactics to bypass platform-specific security controls, such as Apple’s link-clicking restrictions in iMessage.

Researchers have recommended exercising caution when clicking on links, verifying messages from official sources, and using cybersecurity tools for additional protection.

In the News: Google enhances Maps and Search for travellers

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: