urlscan.io Blog

The Darcula phishing framework continues to evolve, transitioning from early API-driven roots to a sophisticated “Phishing-as-a-Service” model using encrypted WebSockets and wrapper APIs. Our latest research uncovers the inner workings of Darcula, its expansion into fake e-commerce storefronts via the “NewBee” and “PandaShop” ecosystems, and its persistent targeting of government and financial institutions worldwide. Discover how this Chinese-backed operation maintains a global footprint through advanced domain rotation and localized social engineering lures.

Intel card

• Primary Name: “Darcula”
• Alternative Name: “Magic Cat”

Targeting

Regions: Africa · Asia-Pacific (APAC) · Europe · Latin America · Middle East · North America

Key findings

• Strong presence of financial institutions alongside traditional postal themes, indicating dual-use campaigns (delivery & banking credential theft)
• Continued heavy abuse of government portals across multiple regions (e.g., APAC, Middle East, Europe), often used for tax, fines, or identity pretexts
• High concentration of telecom brands suggests overlap with SIM-based fraud and account takeover workflows
• Regional payment processors and fintech platforms (e.g., PayCity, local banking apps) indicate localization beyond global brands
• Blending of global brands with highly localized entities to increase credibility
• Consistent global backend with region-specific frontend templates, reinforcing scalable PhaaS delivery model
• Sustained dominance of postal/logistics lures, often used as initial access vector before redirecting to financial phishing flows

Darcula is one of the earliest large-scale Chinese-language phishing frameworks observed operating at global scale. The controlling threat actor was located and exposed in a series of public blogs resulting in the kit’s popularity declining but this hasn’t stopped all instances of Darcula.

The platform established many of the operational patterns now commonly seen in Chinese phishing ecosystems, including API-driven phishing services, centralized infrastructure, encrypted client-server communications, and large domain rotation pools.

Although several generations of the framework exist, Darcula v3 remains active today, despite increasing competition from newer phishing services. Analysis of recent urlscan telemetry shows the framework continuing to operate across multiple domains and hosting environments.

Example Darcula version 3 site themed for Taiwanese Government

Darcula Version 1

The earliest observed Darcula deployments relied on multiple exposed HTTP API endpoints. These APIs controlled phishing page behavior and backend communications.

A typical detection method during this period relied on identifying specific API paths combined with front-end JavaScript indicators such as the IMask input library.

One of the more interesting early endpoints was /api/can-active. This endpoint returned authentication and configuration metadata including the template identifier used by the phishing page.

Example response:

  {
    "authKey":"za_points@a8b7163a-ed1e-466f-b970-0e44ed458e31",
    "expire":"2023-10-29T00:00:00.000Z",
    "iat":1697787963
  }

Source: https://urlscan.io/responses/fd9e9294ee7f78e700779ea9cef7f54e6c14e511b985fca5de0b17fef23c1d77/ Here the value za_points represents the template or theme identifier.

In this earliest stage the framework relied on:

• HTTP APIs controlling the phishing workflow
• WebSocket communications for backend interaction
• Template-driven phishing page generation

These architectural decisions laid the foundation for later versions.

Darcula Version 2

Darcula v2 represented a significant evolution and marked the point where the framework expanded dramatically in usage.

Two major architectural changes were introduced:

1. API consolidation into a single meta-wrapper API call
2. Encrypted communications between the phishing page and backend

The wrapper API pattern, now common across many Chinese phishing kits, encapsulates internal API calls inside a single externally exposed endpoint.

Two distinct variants appeared in v2: U2, and MC.

Both variants encrypted data using the Rabbit stream cipher, a largely obsolete symmetric cipher no longer supported by many modern encryption libraries, with the exception of CryptoJS.

The U2 variant used two separate encryption keys:

Example API request: posdom.gobposnbe[.]live/api/MC41MzU2NzU3OTc0NTMzODM4 Source: https://urlscan.io/result/0197cd75-b2e9-76e9-83da-c508303c6aed#transactions

Encrypted POST payload: U2FsdGVkX19LKnN7hDtP/kAwjTXh0rOKpEs=

Decrypted payload:

   {
     "isBot": false
   }

Response data contained visitor tracking information:

   {
     "result": {
       "id": 1915,
       "domain": "gobposnbe[.]live",
       "ip": "206.66.99.27",
       "ua": "Mozilla/5.0 (Linux; Android 13; SM-A536E)...",
       "data": {},
       "created_at": "2025-04-09T10:38:36.380Z"
     },
     "signId": "..."
   }

The MC variant used different encryption keys.

Darcula Version 3 - Latest

Darcula v3 represents a structural redesign while preserving key elements of earlier versions:

• Wrapped API architecture
• WebSocket communications
• Rabbit cipher encryption

However, several operational changes were introduced that both improved the framework’s flexibility and created new detection opportunities.

Unlike v2, Darcula v3 uses a single static Rabbit cipher key for both requests and responses.

Example API request: empowersafetybc[.]one/api/f43ea7dd51b7e98b

Source: https://urlscan.io/result/019d560f-8fc4-7425-80e0-9498edb1037d#transactions

The encrypted POST payload decrypts to:

  {
    "url": "/api/user/initClient",
    "method": "post",
    "headers": [
      ["Accept","application/json, text/plain, */*"],
      ["Content-Type",null]
    ],
    "bodyData": [
      {
        "id": 0,
        "isBot": false
      }
    ],
    "requestTime": 1772612807042
  }

The decrypted data reveals the internal API endpoint being called.

The corresponding response decrypts to:

  {
    "id": 4086,
    "domain": "empowersafetybc.one",
    "ip": "190.2.153.226",
    "page": "fidelity-111-副本7",
    "ua": "Mozilla/5.0 (X11; Linux x86_64)...",
    "offline_at": null,
    "updated_at": 1772612807160
  }

Another new feature of Darcula v3 is its use of encrypted browser storage values.

The framework stores data in browser storage using hex-encoded key names, with values encrypted via Rabbit.

This storage data appears to track:

• visitor session identifiers
• phishing workflow state
• card data collection progress
• navigation state within the phishing kit

Darcula Fake shop

Whilst investigating Darcula v3 endpoints the urlscan Threat Research Team identified a small number of unusual scans.

Example Darcula Shop site

The scan is notable due to the screenshot showing a fish shop page (https://urlscan.io/result/019774a7-26b9-73bb-97eb-aef2abe20a23)

The page appears to follow the Darcula structural pattern but includes a unique API endpoint: /api/a5025f2ed07bef1f.

The request and response payloads are encrypted using Rabbit encryption the same as Darcula v3 confirming these are operated by the same group. Rather than standard phishing pages which impersonate legitimate brands, these pages are fake shops which are attempting to steal a user’s payment card information through the proposed sale of items online using a fake shop as a front.

Darcula isn’t unique in having multiple scam setups built to interact with the framework. The Darcula fake shops is a whole new cluster of malicious pages linked to the framework.

The site has two notable JavaScript variables: darcula_call_submit and darcula_call_purchase. While darcula_call_purchase appears unique to a specific shop implementation, the variable darcula_call_submit is far more widespread within Darcula sites.

Analysis of the JavaScript variable name results in tens of thousands of scans, indicating a large cluster of fake storefronts built on the same underlying framework.

Additional pivoting reveals that many of these sites load a shared script named /loadDarcula.js.

Across multiple scans, these fake stores consistently load resources from several external domains in addition to legitimate third-party services. Notably, many also reference an additional actor-controlled domain functioning similarly to a CDN for hosting malicious JavaScript and page assets.

Using the fake fish store as an example the domain aumiy[.]shop is observed serving JavaScript source code to the storefront.

Pivoting on this domain leads to an interesting discovery https://urlscan.io/result/01957146-3d37-7aa2-aa1f-b6f381a330df: an administrative interface for a system labelled “NewBee system”, with the Chinese title “后台管理系统” (“Backend Management System”). This panel appears to be part of the backend infrastructure used to manage fake shop deployments.

Example NewBee System admin login page

When a license for the system expires, the API returns a Chinese language error message: {“code”:9088,”msg”:”许可证过期，请去saas平台查看商户状态”} (“License expired, please check the merchant status on the SaaS platform”).

Significant overlap also exists with NewBee System and another Chinese fake shop framework known as PandaShop. Panels using PandaShop themes often load assets such as /assets/panda_login.\*.js and /assets/panda_login.\*.css.

Example PandaShop admin login page

Despite the PandaShop-themed frontend, many panels still expose backend /api/index/config API responses referencing “NEWBEE SYSTEM” in their configuration data, strongly suggesting the two frameworks share underlying infrastructure or codebases.

  {
    "code":200,
    "msg":"成功", // success
    "language":null,
    "sessionId":null,
    "config":null,
    "data":{
      "loginCaptcha":false,
      "webName":"PANDA SYSTEM",
      "webLogo":"http://pruqdh.abackendsystem[.]com/api/static/backend_logo.png",
      "webFavicon":"http://pruqdh.abackendsystem[.]com/api/static/backend_favicon.ico",
      "webBackdrop":"http://pruqdh.abackendsystem[.]com/api/static/backend_backdrop.png",
      "ossDomain":"http://pruqdh.abackendsystem[.]com/",
      "copyright":[
        {
          "name":"NEWBEE SYSTEM",
          "link":"http://www.beian.gov.cn"
        }
      ]
    }
  }

Infrastructure analysis further supports this relationship. The host 43.135.133.79 has only four domains at the time of writing:

• newpandasystem[.]com
• x2882x[.]com
• saas.newpandashop[.]com
• saas.newbeesystem[.]com

The naming overlap between NewBee and PandaShop strongly suggests that these platforms are closely related, potentially representing different branding or versions of the same fake shop PhaaS ecosystem. While the exact relationship between this ecosystem and the Darcula phishing framework remains unclear, the shared artifacts and infrastructure suggest at least partial operational overlap between these threat actor toolsets.

Darcula played a foundational role in shaping the modern Chinese phishing ecosystem. Its early adoption of API-driven phishing workflows, encrypted communications, and centralized infrastructure influenced many phishing kits that followed.

While earlier versions demonstrated rapid innovation, including encrypted wrapper APIs and domain configuration leakage. Darcula v3 remains operational today, continuing to deploy phishing infrastructure using the same architectural model.

Despite newer phishing frameworks competing in the same ecosystem, Darcula v3 continues to appear regularly in urlscan submissions, suggesting that the platform still maintains a meaningful presence in the broader phishing landscape.

Darcula is a very popular and wide reaching kit with a huge number of templates. So far the following templates have been observed:

• Banking & Financial Services
  • Fidelity Investments - https://urlscan.io/result/019d560f-8fc4-7425-80e0-9498edb1037d
  • Banco Promerica - https://urlscan.io/result/019d2e48-9371-75fc-b8bb-5b83fe0f42d0
• Government Services
  • Hong Kong Government - https://urlscan.io/result/019d71e3-d2d7-7185-9859-f7c19f9da767
  • Government of Taiwan - https://urlscan.io/result/019d718c-f18a-737c-86cd-dff2d1fe2274
  • Portugese Government - https://urlscan.io/result/019a93e3-6a31-77dd-8e6a-ff0b1da540e9

More on urlscan Pro

If you want to learn about the urlscan Pro platform and how it might be valuable for your organization feel free to reach out to us! We offer free trials with no strings attached. We would be happy to give you a passionate demo of what our platform can do for you. Reach out to us at sales@urlscan.io.