Skip to content Skip to footer

Darcula PhaaS Platform Targets Organizations with Smishing Attacks

A recent report has shed light on a new and sophisticated form of called -as-a-service (PhaaS) that has been wreaking havoc on organizations in over 100 countries. Darcula is a Chinese-language PhaaS platform that supports over 200 templates that impersonate legitimate brands. Customers can avail of these templates for a monthly fee to set up sites and carry out their malicious activities.

The sites are hosted on purpose-registered domains that spoof the respective brand names to add a veneer of legitimacy. Moreover, these domains are backed by Cloudflare, Tencent, Quadranet, and Multacom, making it even more difficult for victims to identify them as fraudulent.

One of the most concerning aspects of Darcula is that it has been able to bypass traditional SMS firewalls by using iMessage and RCS (Rich Communication Services) instead of SMS to send text messages. This has allowed the cybercriminals behind the platform to target established organizations, including postal services, with significant effect. Moreover, the departure from traditional SMS-based has reduced the delivery cost for the attackers.

Darcula's smishing tactics are also noteworthy. They primarily leverage Apple iMessage and RCS instead of SMS, evading some filters by network operators to prevent scammy messages from being delivered to prospective victims. Additionally, they do not incur any per-message charges, typical for SMS.

Another notable aspect of Darcula's smishing messages is their sneaky attempt to get around a safety measure in iMessage that prevents links from being clickable unless the message is from a known sender. To do this, the attackers instruct the victim to reply with a “Y” or “1” message and then reopen the conversation to follow the link.

These messages are sent from email addresses such as and, indicating that the threat actors behind the operation are creating bogus email accounts and registering them with Apple to send the messages.

Darcula has been employed in several high-profile attacks over the last year, wherein the smishing messages are sent to Android and iOS users in the U.K. and those that leverage package delivery lures by impersonating legitimate services like USPS.

More than 20,000 Darcula-related domains across 11,000 IP addresses have been detected, with an average of 120 new domains identified daily since the start of 2024. Israeli security researcher Oshri Kalfon revealed some aspects of the PhaaS service in July 2023.

To make matters worse, Darcula can update sites with new features and anti-detection measures without removing and reinstalling the kit. On the front page, Darcula sites display a fake domain for sale/holding page, likely as a form of cloaking to disrupt takedown efforts.

While end-to-end encryption in RCS and iMessage delivers valuable privacy for end users, it also allows criminals to evade filtering required by legislation by making the content of messages impossible for network operators to examine. This leaves Google and Apple's on-device spam detection and third-party spam filter as the primary line of preventing these messages from reaching victims.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

We have no names, man. No names. We are nameless!Cereal

Deitasoft © 2024. All Rights Reserved.