Full Report
Dark Caracal, a group suspected of cyber mercenary activities, appeared to shift to a new espionage tool in a campaign aimed at Latin American targets, according to researchers.
Analysis Summary
# Threat Actor: Dark Caracal
## Attribution & Identity
**Attribution:** Dark Caracal.
**Known Aliases and Associations:** The group has a history of using the malware **Bandook**. (Note: The reporting firm, Positive Technologies, has been sanctioned by the U.S. and EU over alleged ties to Russian intelligence, but this is not an attribution of the threat actor itself.)
## Activity Summary
Dark Caracal is shifting from its signature malware, **Bandook**, to using **Poco RAT** in an ongoing espionage campaign. Researchers detected 483 samples of Poco RAT between June 2024 and February across victims in Latin America. This marks an observed replacement of Bandook, of which 355 cases were detected between February 2023 and September 2024. The group is believed to operate as a mercenary group conducting espionage and financially motivated hacks for hire.
## Tactics, Techniques & Procedures
- **Initial Access:** Used phishing emails impersonating financial institutions and business service providers, notifying victims of overdue invoices.
- **Payload Delivery:** Attachments in phishing emails look like official documents, redirecting users to links that trigger an automatic malware download from legitimate cloud storage services (a trait shared with previous Bandook campaigns).
- **Execution & Control:** Utilizes the **Poco RAT** (a credential-harvesting remote access trojan) to spy on victims, execute commands, and install additional malware.
- **Evasion:** Campaigns share key traits, including the use of blurred decoy documents and link-shortening services, making operations harder to detect.
- **Consistency:** Attack methodology has remained consistent over the years, relying on custom-built tools.
## Targeting
- **Sectors:** Mining, Manufacturing, and Hospitality sectors. Government institutions, military organizations, activists, journalists, and general businesses have been targeted historically.
- **Geography:** Primarily targeting Latin America, with specific detections noted in **Venezuela**, the **Dominican Republic**, and **Chile**. Historically linked to successful data exfiltration in nearly two dozen countries.
- **Victims:** Financial institutions and business service providers were impersonated in phishing lures.
## Tools & Infrastructure
- **Malware families used:** **Poco RAT** (newer tool used since 2022), **Bandook** (signature older malware).
- **Infrastructure (C2, domains, IPs):** Utilizes **legitimate cloud storage services** for payload distribution.
## Implications
Dark Caracal is an adaptive, financially motivated threat actor. The migration to Poco RAT suggests an effort to maintain operational security and evade detection, especially given the RAT's credential-harvesting capabilities. The simultaneous presence of espionage and financial motives suggests a broad mandate for their mercenary activities.
## Mitigations
- Implement robust email filtering to detect sophisticated phishing lures, especially those impersonating financial/business providers.
- Employ scrutiny over links directing to legitimate cloud storage services used for unsolicited downloads.
- Enhance detection capabilities for credential-harvesting RATs like Poco RAT.
- Maintain strong defensive posture against custom-built tools by focusing on behavioral analysis rather than relying solely on signatures.