LARVA-246
LARVA-246 is the threat actor codename that PRODAFT attributes to the Darcula phishing-as-a-service (PhaaS) platform. Darcula is used for smishing and phishing campaigns and has been advertised for sale via the Telegram channel “xxhcvv / darcula_channel.” Reported Darcula capabilities include use of Apple iMessage and RCS for smishing, lures impersonating postal services such as USPS, and updates that added generative AI features to reduce the skill required to create phishing pages. These features reportedly include multi-language phishing form generation, form field customization, translation into local languages, and an update that allowed customers to clone legitimate brand websites to create phishing versions. PRODAFT also reported that Darcula shares identical features and templates with another PhaaS referred to as Lucid. Netcraft assessed that Darcula, along with Lucid and Lighthouse, is part of a loosely connected China-based cybercrime ecosystem associated with the financially motivated “Smishing Triad,” which mass-targets individuals globally through SMS-based phishing attacks.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.