Darcula Exposed: Inside a Global Phishing-as-a-Service Empire Powered by the Magic Cat Toolkit
Ddos 
Image: mnemonic
In a deep dive into one of the most sophisticated global phishing infrastructures ever uncovered, researchers at Norwegian cybersecurity firm mnemonic have peeled back the layers of a shadowy Phishing-as-a-Service (PhaaS) network known as Darcula. The report not only documents the technical ingenuity behind the operation but also traces its infrastructure, marketing ecosystem, and possible real-world identity of its creator.
“What we saw shocked us. Flying by our screen was a stream of names, addresses, and credit cards, a real-time feed of hundreds of victims being phished,” the report recounts.
The story began in December 2023 with a wave of smishing (SMS phishing) messages pretending to be delivery notifications from postal services. These messages reached users worldwide—particularly across Norway—and lured them into entering personal data and credit card information via fake websites.
“Such messages have one thing in common: they impersonate a brand that we trust… thus tricking us into willfully giving away our information,” the report warns.
But this was no ordinary scam. The phishing kits employed advanced anti-forensics techniques: the links only worked when accessed from mobile devices on cellular networks, evading detection by automated security scanners.
Using security tools and clever workarounds, mnemonic researchers bypassed these protections and eventually loaded the phishing site on a desktop for analysis. There they discovered a Socket.IO-based messaging backend where every field entered by victims was encrypted on the client side.
“The application is trying to protect itself from a different kind of party—namely our kind: security researchers with man-in-the-middle proxies.”
By analyzing the obfuscated JavaScript code, they extracted encryption keys and decrypted messages in real-time, revealing victim data and a chatroom-based infrastructure where phishing results were streamed to operator dashboards.
The researchers traced the operation to a phishing platform called Magic Cat, promoted in Telegram channels under the alias “Darcula.” This toolkit allowed cybercriminals to impersonate hundreds of global brands, integrate SMS gateways, and collect sensitive data in real-time.
“It’s feature rich, and clearly developed to enable non-technical buyers to conduct their own phishing campaigns at scale.”
Magic Cat also contained licensing features, activation servers, and dashboards that enabled fraudsters to manage campaigns like enterprise software vendors. The toolkit was monetized and distributed with installation guides and customer support, highlighting the professionalization of phishing.
In their hunt for Darcula’s true identity, mnemonic’s researchers followed a trail of clues from GitHub accounts, Alibaba Cloud IPs, document metadata, and OSINT tools. Eventually, a Chinese phone number, Apple ID, and Instagram account all connected back to the same alias.
“In the document metadata, we saw the same name listed as the document author… matched to a WHOIS record, a QQ email, and a bank account.”
Although the report stops short of naming the individual, the attribution effort represents a remarkable case study in open-source intelligence (OSINT) and responsible disclosure.
The research uncovered that hundreds of thousands of victims were affected globally, and that thousands of licenses for Magic Cat had been sold. Darcula’s operation mimicked that of a legitimate software vendor, complete with release notes, user support, and licensing enforcement.
mnemonic shared its findings with law enforcement and partnered with the Norwegian Broadcasting Corporation (NRK) to highlight the societal implications of scalable phishing infrastructures.
Donate