Update: Darcula PhaaS Platform Evolves with GenAI to Streamline Global Phishing Campaigns
The Darcula phishing-as-a-service (PhaaS) platform, operated by a threat actor known as LARVA-246, has rolled out major updates integrating generative AI (GenAI) capabilities to automate phishing page creation. Exposed initially in early 2024 for using iMessage and RCS-based smishing campaigns under postal delivery disguises, Darcula now allows cybercriminals to clone legitimate brand websites and build customized phishing pages with minimal technical skill. This new GenAI feature enables attackers to generate forms, customize fields, and translate phishing templates across multiple languages instantly, making conducting scalable and localized attacks even easier. Researchers believe Darcula operates alongside kits like Lucid and Lighthouse within China's broader Smishing Triad cybercrime ecosystem. The platform's low barrier to entry and mass-market phishing capabilities mark a dangerous shift in how easily threat actors can conduct widespread credential theft. Since March 2024, security researchers have blocked over 90,000 phishing domains, dismantled over 25,000 Darcula-generated pages, and flagged nearly 31,000 related IP addresses. The newest GenAI enhancements, announced on April 23, 2025, increase Darcula’s threat potential by removing the need for coding knowledge, significantly speeding up the time from phishing page creation to campaign deployment. Darcula’s evolution highlights the growing use of automation and AI among cybercriminal groups, which could further accelerate global phishing incidents targeting users through email, SMS, and messaging platforms. With mass phishing now more accessible to even novice attackers, the risk of targeted credential harvesting and account takeover campaigns is expected to rise sharply. This development underscores the urgency for organizations to strengthen email security defenses, train users against modern phishing tactics, and closely monitor SMS and messaging-based threats.
Zscaler Report Reveals Rise of AI-Driven, Hyper-Targeted Phishing Campaigns
Zscaler ThreatLabz 2025 Phishing Report highlights a major shift in phishing tactics, revealing how attackers use generative AI (GenAI) to create highly personalized and convincing scams. By analyzing over two billion blocked phishing transactions from January to December 2024, researchers found that while global phishing volume fell by 20%, cybercriminals have pivoted to more targeted and high-impact attacks against HR, finance, and payroll teams. AI-generated emails, texts, and calls are now crafted with near perfection, making them harder to detect and easier to use for credential theft. New tactics have also emerged, including vishing attacks, CAPTCHA-masked phishing sites, cryptocurrency wallet scams, and fake AI agent websites designed to steal sensitive data. Despite a decline in phishing attacks targeting the U.S., it remains the top global target, while sectors like education experienced a 224% surge in attacks due to weaker defenses. The 2025 outlook warns that phishing will evolve, leveraging AI to bypass human and technical defenses. The report stresses that phishing is no longer a basic email nuisance but a sophisticated, AI-fueled assault on human trust. Organizations that embrace zero-trust architectures and advanced behavioral monitoring will be better equipped to defend against this new breed of phishing threats.
Windows Update Bug: 'Inetpub' Folder Creates New Vulnerability Risk
A recent Microsoft Patch Tuesday update introduced an unintended vulnerability by creating a system-level 'inetpub' folder on Windows devices, even when Internet Information Services (IIS) was not installed. While Microsoft explained this folder was part of a patch for CVE-2025-21204 and advised it should not be deleted, researchers found that malicious actors could exploit it by creating a junction between 'inetpub' and a file like Notepad.exe, preventing future Windows updates from installing and causing error code 0x800F081F. Although Microsoft has acknowledged the issue and rated it as moderate severity, no immediate fix has been planned, and updates will succeed if the faulty junction is removed. This vulnerability stems from the servicing stack expecting 'inetpub' always to be a directory, leading to denial-of-service scenarios without needing administrative privileges. Our team reviewed this issue after the April Patch Tuesday cycle and confirmed that we had already assessed all vulnerabilities associated with the update, ensuring awareness and tracking for any developments. Although this flaw does not enable privilege escalation or direct exploitation, it could be misused to delay security updates, introducing operational and compliance risks. Organizations should proactively monitor critical system directories and consider enforcing stricter permission controls to prevent unauthorized file system changes. This incident highlights how even defensive security measures can introduce new risks when complex system behaviors are not fully accounted for.
