The operators of the Darcula phishing-as-a-service (PhaaS) platform seem to be preparing an updated version that enables users, including cybercriminals, to replicate any legitimate brand’s website and generate a phishing variant. This development further lowers the technical skills needed to carry out large-scale phishing attacks.
Darcula v3: A Game-Changer in Phishing Operations
According to cybersecurity firm Netcraft, the latest iteration of Darcula represents a major advancement in phishing capabilities. The company has identified and blocked over 95,000 Darcula phishing domains and nearly 31,000 IP addresses. Additionally, more than 20,000 fraudulent websites have been taken down since the platform’s exposure in March 2024.
One of the most alarming new features of Darcula v3 is its ability to generate phishing kits on demand for any brand. The service’s developers confirmed in a Telegram post on January 19, 2025, that the “remastered version is now ready for testing.”
“Now, you can also customize the front-end yourself. Using darcula-suite, you can complete the production of a front-end in 10 minutes,” the developers stated.
How Darcula v3 Works
The new version streamlines phishing campaign creation by allowing users to input a legitimate brand’s URL into a web interface. The platform then employs browser automation tools like Puppeteer to extract the website’s HTML and assets.
Once extracted, cybercriminals can select specific HTML elements to modify, injecting phishing content such as fake payment forms and login fields that mimic the original website’s design. The final phishing page is then uploaded to an admin panel, making it easy to manage and deploy attacks.
Security researcher Harry Freeborough noted that Darcula operates much like any Software-as-a-Service (SaaS) product, featuring an admin dashboard that simplifies campaign management. Fraudsters can monitor their phishing campaigns, extract stolen data, and oversee their operations with ease.
Beyond Phishing: Stolen Credit Card Virtualization
Darcula v3 introduces a disturbing new feature that takes cyber fraud a step further. The platform now offers a tool that converts stolen credit card details into virtual images of victims’ cards, which can then be added to digital wallets. These virtual cards are often loaded onto burner phones and sold on underground marketplaces, increasing the profitability of phishing schemes.
Current Status: Internal Testing Underway
While the tool is still in development, a follow-up post from the malware author on February 10, 2025, indicated that testing is ongoing:
“I have been busy these days, so the v3 update will be postponed for a few days.”
Cybersecurity experts warn that this evolution in phishing-as-a-service platforms could lead to an increase in highly convincing phishing attacks. Organizations are urged to enhance their security measures, implement robust email filtering, and educate employees and customers on phishing risks to mitigate potential threats.
Final Thoughts
The emergence of Darcula v3 underscores the growing sophistication of cybercrime and the need for advanced security solutions. Businesses and individuals alike must remain vigilant against the rising threat of phishing campaigns that exploit cloned websites and stolen credentials.