The Darcula group has orchestrated a massive phishing-as-a-service (PhaaS) operation, dubbed Magic Cat, compromising an estimated 884,000 credit card details from over 13 million user interactions worldwide.
This smishing (SMS phishing) campaign, first detected in December 2023, impersonates trusted brands like the Norwegian Postal Service to lure victims into divulging sensitive information.
Sophisticated Phishing-as-a-Service Operation
By exploiting mobile-specific vulnerabilities and deploying advanced anti-forensics techniques, the operation has demonstrated a chilling level of sophistication, targeting millions through SMS, iMessage, and RCS platforms with messages prompting users to update delivery details or pay fictitious fees.
.png
)
The Magic Cat software, uncovered through meticulous reverse-engineering by security researchers, is a feature-rich PhaaS platform designed for non-technical operators to launch phishing campaigns at scale.
It supports impersonation of hundreds of global brands with customizable templates, streams victim data in real-time for immediate exploitation, and integrates seamlessly with SMS gateways for mass distribution.
Technical Depth of the Magic Cat Platform
Researchers bypassed the platform’s anti-forensic measures-such as mobile-only access restrictions and client-side encryption using the Rabbit algorithm via crypto-js-by manipulating User-Agent headers and leveraging cellular network simulations.
Further investigation revealed encrypted communications via Socket.IO, with data obfuscated through Base64 encoding and MD5 hashing, protecting the phishing protocol from prying eyes.
Shockingly, a potential backdoor in the software’s HTTP request handling was identified, allowing unauthorized access to administrative functions, raising questions about developer intent or oversight.
By deobfuscating backend code with tools like Synchrony, researchers activated an unlicensed copy of Magic Cat in a controlled environment, exposing its full capabilities, including license generation and operator dashboards that facilitate real-time victim interaction.
The Darcula operation, linked to a Chinese-based Telegram group, showcases a professional setup with servers, SIM cards, and devices for mass phishing, alongside brazen displays of illicit gains.
Tracing Darcula’s identity through IP addresses, Passive DNS records, and OSINT tools led to connections with Alibaba Cloud VMs, GitHub profiles, and Chinese phone numbers, culminating in a name tied to Telegram document metadata.
This investigation, reported to law enforcement in January 2024 and shared with Norwegian media, underscores the urgent need for collaborative action from financial institutions, tech giants, and mobile operators to combat such pervasive cyber threats, as Darcula’s low-profile mastermind continues to evade full identification while profiting from global deception.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
