Darcula PhaaS can now auto-generate phishing kits for any brand
The Darcula phishing-as-a-service (PhaaS) platform is preparing to release its third major version, with one of the highlighted features, the ability to create do-it-yourself phishing kits to target any brand.
The upcoming release, currently available as a beta, will remove the targeting scope restrictions by offering a finite number of phishing kits and allowing anyone to create their own.
In addition to this new feature, the upcoming release, named 'Darcula Suite,' also lifts technical skills requirements, a new user-friendly admin dashboard, IP and bot filtering, campaign performance measurement, and automated credit card theft/digital wallet loading.
Netcraft researchers tested one of the latest beta builds of Darcula Suite for hands-on analysis and confirmed that the announced features are legitimate.
Darcula emerged last year as a massive PhaaS operation relying on 20,000 domains that spoof renowned brands to steal credentials from Android and iOS users in over 100 countries.
With a much more powerful version underway, Netcraft warns that cybercriminals are moving to it even if the official release isn't out yet.
"Because the container images used to run the admin panel are publicly available at registry[.]magic-cat[.]world, Netcraft was able to get a rough estimate of the number of individuals already exploring this test suite," reads the report.
"The pull count of the API image has increased by more than 100% and the web image by more than 50% from February 5 to February 10."

DIY phishing
The highlighted feature of the upcoming Darcula Suite is the DIY phishing kit generator that lets "customers" insert the URL for the brand they want to impersonate. The platform will then automatically generate all the required templates for the attack.
The platform clones the legitimate site using the Puppeteer tool, copying the HTML, CSS, images, and JavaScript, to maintain the original design.

The fraudster may choose which elements to modify, such as the login fields, payment forms, and two-factor authentication prompts, replace them with phishing pages, use custom error messages, or modify JavaScript to steal input data.
Darcula Suite offers pre-made templates, like fake password reset pages, credit card payment forms, and 2FA code entry prompts.

Once configured, the phishing site is packaged into a ".cat-page" bundle containing all the files necessary for the attack.
The kit is then uploaded to the Darcula admin panel to allow deployment, central management, real-time data theft, and performance monitoring.
Apart from the new DIY system, Darcula 3.0 brings:
- Anti-detection features with randomized deployment paths, IP filtering, crawler blocking, and device-type restrictions.
- A new admin panel with simplified phishing campaign management, a performance dashboard, real-time logs of stolen credentials, and Telegram notifications for when a victim submits sensitive information.
- A new tool to convert stolen credit card data into virtual card images that can be added to digital payment apps.
Netcraft says Telegram groups linked to Darcula are already promoting burner phones preloaded with multiple stolen cards for sale, another sign of the increased adoption of the new Darcula version.

The introduction of Darcula 3.0 and its powerful new features make detecting and stopping phishing campaigns even more challenging, while the ease of use of the latest version guarantees that phishing volumes will increase.
Netcraft comments that, in the last 10 months, it detected and blocked nearly 100,000 Darcula 2.0 domains, 20,000 phishing sites, and 31,000 IP addresses associated with the platform.
Microsoft testing fix for Windows 11 bug breaking SSH connections
Google Chrome disables uBlock Origin for some in Manifest v3 rollout
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
InformationalSec-Fetch-User Header Has an Invalid Value
InformationalStrict-Transport-Security Header on Plain HTTP Response
MediumJWT Scan Rule
InformationalGET for POST
Free online web security scanner