HQ/EMEAFind out how we can help your business
A new development for the Dark Caracal hacking group showed that it is transitioning to new malicious software in an espionage effort that targets Latin American citizens.
Researchers reported discovering 483 copies of Poco RAT on networks, mainly in Venezuela, the Dominican Republic, and Chile, between June 2024 and February. Moreover, they found that Poco RAT resembles Bandook, Dark Caracal’s trademark virus.
These investigations discovered 355 Bandook cases between February 2023 and September 2024, with the Poco RAT detections accounting for a significant rise. The findings show that the group, which is thought to operate as a mercenary gang that conducts espionage and financially motivated hacks for rent, may replace previous malware in its activities.
Dark Caracal group’s new malware reaches its victims through phishing emails that pose as legitimate institutions.
According to reports, the Dark Caracal group’s most recent Poco RAT attack was executed through phishing emails imitating financial institutions and commercial service providers.
Victims received emails informing them of unpaid invoices, including attachments that appeared to be legitimate documents. Once recipients accessed the files, they were routed to websites that initiated an automatic malware download from legitimate cloud storage services.
Poco RAT is a credential-stealing remote access trojan that allows its operators to spy on victims, run commands, and install further software. It has been used since 2022, primarily targeting Latin America’s mining, manufacturing, and hotel sectors.
However, this is the first time researchers have identified malware used by the Dark Caracal outfit.
The researchers noted that campaigns related to Bandook and Poco RAT share important characteristics, such as the use of blurred decoy documents, link-shortening services, and genuine cloud storage for payload distribution.
Furthermore, the group has been linked to various data theft campaigns in at least two dozen nations, mainly targeting activists, journalists, government institutions, military organisations, and corporations.
The group’s attack methodology has remained similar, using custom-built tools unavailable to other cybercriminals. Lastly, the discovery of the group’s decoy documents and impersonated industries in its most recent campaign confirms that its activities are not just for espionage but also financially motivated.
