Tadeáš Hájek
Whalebone Threat Intelligence Analyst
Another month, another phishing campaign. Cybercriminals do not slow down and certainly do not run out of ideas, particularly in the age of AI-powered threats. In this campaign, the “innovation” is not a new technique, but rather the large-scale use of familiar ones: impersonate as many brands as possible and target as many users as possible.
Since early 2026, Whalebone Threat Intelligence has been intercepting a large number of phishing sites impersonating popular delivery services, predominantly targeting European consumers. Similar to campaigns observed in previous years, these phishing sites are distributed via smishing messages and aim to steal payment-related information.
During the first half of April 2026 alone, we intercepted over 1,000 newly registered phishing domains, more than 700 of which were first blocked by Whalebone.
Sources for the phishing messages printescreens: Sydnyt.dk, Reddit, Sakerhetskollen.se
Such smishing messages, often delivered via iMessage or RCS (Rich Communication Services), were reported by users online across Europe, as we were recording signs of a coordinated phishing campaign during our routine monitoring.
Dozens of domains initially uncovered shared the same pattern: a scrambled domain name incorporating the impersonated courier brand, phishing content delivered on a secondary URL path, and nearly identical message content repackaged for a specific delivery company and country, centered on rescheduling parcel delivery.
To illustrate the attack flow, consider the domain daodas[.]icu, impersonating the Danish courier company Dansk Avis Omdeling (DAO).
Following the link leads to a website closely resembling the legitimate DAO interface. The user is prompted to reschedule delivery for a non-existent parcel using a fabricated tracking number.
“We have attempted to deliver your package 588973870. Unfortunately, the package could not be delivered because your mailbox was full or unavailable. Please select a new delivery option to receive your package.”
Unsuspecting users, particularly those already expecting a parcel, may proceed with the rescheduling flow. When opened on a mobile device, the selected domain, daodas[.]icu, more closely resembles the legitimate DAO domain, which is likely significant given that victims most often access the phishing site via a mobile-delivered smishing message.
Once the user clicks “REDIRECT PACKAGE NOW,” the phishing process unfolds in several steps:
DAO Denmark serves as just one example. The campaign spans a wide range of organizations across Europe, including courier services in Sweden, the Netherlands, Portugal, Spain, Germany, the Czech Republic, Greece, Switzerland, and the United Kingdom.
Beyond delivery services, similar schemes are used to impersonate:
These often rely on alternative lures, such as expiring reward points.
The observed tactics closely match public reporting on the Darcula / Magic Cat phishing kit. This Phishing-as-a-Service (PhaaS) platform provides ready-made tools that allow even low-skilled operators to deploy phishing campaigns at scale.
Key characteristics include:
All of these elements were present in the analyzed samples.
At the time of writing, we have observed hundreds of domains impersonating the DAO delivery service, and thousands more targeting other courier services and business entities.
Many of these domains were registered on AS132203 (Tencent Building, Kejizhongyi Avenue, China), with entire IP addresses appearing dedicated to phishing activity. For example, one observed IP address, 43.157.122.86, hosted 213 domains between November 2025 and April 2026, all associated with current or earlier waves of courier-themed phishing. Some domains were also observed behind Cloudflare or hosted by smaller ISPs.
Domain names are intentionally designed to resemble the targeted courier service. In the case of DAO Denmark, domains often include both “dao” and “as,” or slight variations such as daoas[.]icu, daoaso[.]sbs, or dao-pakke[.]shop. In other cases, the courier brand appears in a subdomain, while the registered domain begins with a TLD-like string, such as dao.as-nfd[.]top. In most cases, low-trust TLDs such as .cyou, .icu, or .sbs are used. Similar naming patterns were observed across multiple impersonated brands.
In the DAO phishing example, payment authentication and PII harvesting is handled via the JavaScript file index-c6dcb135.js. The script contains dedicated views for phone number capture, address capture, payment card capture, custom OTP and dynamic validation pages, fake banking app approval pages, and a success page.
The page first initializes a victim session by calling the backend API and receiving both a session token and a server-side configuration blob. This configuration determines which verification screens can be displayed later, including OTP, PIN, and app approval pages. From there, the site captures data field by field as the victim types, allowing the operator to receive partial data immediately, even if the victim does not complete the full form.
After card details are entered, the page can move the victim into one of several server-controlled verification paths designed to intercept the authentication step. The intercepted API response defines several such methods for the Danish variant:
Several backend template labels and internal strings contained Chinese-language text, indicating that the phishing kit or parts of its template set were likely developed, customized, or reused within a Chinese-speaking operator or reseller ecosystem.
Similar country-specific verification methods, including localized language variants, common authentication workflows, and references to major domestic banks, were observed across other analyzed sites impersonating European companies.
Snippet of the HTTP response with pre-defined fraudulent authentication
In addition, the analyzed JavaScript code contained repeated references to darcula-teleport-page in multiple authentication-related views, which further supports assessment of Darcula-family / Magic Cat lineage.
It remains unclear whether this campaign is operated by a single organized criminal group or by multiple groups using the same PhaaS kit simultaneously. Whereas the use of an identical, or at least closely related, PhaaS kit is evident, we observed minor differences in infrastructure choices and content delivery structure, including the ASN used, phishing domain naming patterns, brand name placement (for example in a subdomain or second-level domain), and secondary URL path structure.
While the underlying scam pattern remains similar to earlier delivery-themed phishing campaigns, this wave stands out for its scale, the number of impersonated services, and the continued refinement of localized phishing templates. In particular, the analyzed samples show country-specific adaptations down to the level of fraudulent MFA workflows, including locally relevant language, domestic bank references, and tailored verification methods.
At the time of writing, dozens of new phishing domains targeting European users continue to emerge each day. While Whalebone cannot prevent fraudulent SMS messages from being delivered, we are proactively intercepting and blocking these domains to help ensure our users remain protected at the DNS level.
Across the networks we protect, more than 30B threats were blocked last year. The way these threats evolved shows how quickly attackers are adapting.
Learn what shaped the cybersecurity landscape in 2025 and what lies ahead. Get a copy of our latest threat report.