Security researchers have reported on an active Phishing-as-a-service (PhaaS) operation that victimized hundreds of thousands in just a few months. According to Norwegian security firm Mnemonic, Darcula is designed to target iPhone and Android users with phishing messages, spoofing brands to trick them into handing over card details. Operating globally, it convinces victims to click through on SMS, RCS, and iMessage texts impersonating brands such as delivery firms. Victims are asked to pay delivery charges to receive their ‘package,’ pay road toll fee,s and more.
See: https://redskyalliance.org/xindustry/darcula-phaas
Previous reports on the operation have highlighted its continued evolution, including new features like generative AI to create customized smishing campaigns and anti-forensics capabilities. Mnemonic used reverse engineering techniques to discover the “backbone” of the operation: a powerful toolkit named “Magic Cat.” A joint investigation with Norwegian broadcaster NRK traced this package back to a 24-year-old from Henan province in China.
An estimated 600 cybercrime groups are using the infrastructure, most of which operate in closed Telegram groups, using SIM farms to increase their reach and card terminals to process stolen details. Most appear to be Chinese-language natives. The researchers claimed that around 884,000 cards were compromised in this way in just a seven-month period between 2023 and 2024.
Mnemonic explained that Magic Cat is a feature-rich toolkit developed for non-technical buyers to scale smishing campaigns. “At the time, this included out-of-the-box support to impersonate a few hundred brands in countries worldwide. Recent updates to the platform are reported to have made building custom brand templates even more user-friendly for operators,” it said.
“Magic Cat also streamed data entered by victims in real-time to the operators, allowing them to see character-by-character data entered into the phishing sites. It also allows operators to request PIN codes in real-time and easily integrate with SMS gateways, amongst many other features.”
Law enforcement authorities in various jurisdictions have been notified.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments