Group-IB Uncovers Surge in ”Darcula” Phishing Attacks Targeting Middle East Logistics in 2026

A new investigation by Group-IB, a global leader in cybersecurity, has identified an alarming rise in sophisticated "parcel tracking" scams across the Middle East and Africa. Between December 2025 and February 2026, Egypt and South Africa emerged as primary targets for coordinated campaigns leveraging the Darcula phishing-as-a-service (PhaaS) platform. This sophisticated infrastructure utilizes over 20,000 fake domains and 200 templates to impersonate trusted postal and logistics brands.

The technical analysis reveals a dangerous evolution in data theft: the use of WebSockets for real-time keystroke logging. This allows attackers to capture card details, CVV numbers, and One-Time Passwords (OTP) the moment a victim types them into a spoofed site. By hijacking legitimate SMS gateways, scammers interject fraudulent messages into authentic official chat threads, making detection nearly impossible for the average user. Group-IB warns that as global shipments exceed 161 billion annually, "delivery anxiety" has become the preferred weapon for digital criminals.