Exposed: Dark Caracal’s Sophisticated Espionage Campaign Targets Latin American Businesses with Poco RAT

# Dark Caracal Deploys Poco RAT in Latin American Cyber Espionage Campaign

Cybersecurity researchers at Positive Technologies have identified the threat actor Dark Caracal as responsible for deploying Poco RAT, a sophisticated remote access trojan targeting Spanish-speaking users across Latin America in 2024.

The malware, described as having a “full suite of espionage features,” enables attackers to upload files, capture screenshots, execute commands, and manipulate system processes on compromised systems.

## Campaign Details

Initially documented by Cofense in July 2024, the attacks primarily target organizations in mining, manufacturing, hospitality, and utilities sectors. The campaign uses finance-themed phishing lures to initiate a multi-step infection process.

Positive Technologies identified tradecraft similarities with Dark Caracal, an APT group active since at least 2012 and previously known for malware families like CrossRAT and Bandook. In 2021, the group conducted the “Bandidos” campaign, which deployed Bandook against Spanish-speaking countries in South America.

## Attack Methodology

The current attacks continue to focus on Spanish-speaking users through phishing emails containing invoice-related themes with malicious attachments. Analysis indicates the primary targets are enterprises in Venezuela, Chile, the Dominican Republic, Colombia, and Ecuador, across sectors including banking, manufacturing, healthcare, pharmaceuticals, and logistics.

When victims open the decoy documents, they are redirected to download a .rev archive from legitimate file-sharing services like Google Drive and Dropbox. These .rev files, generated using WinRAR, serve as “stealthy payload containers” that help evade security detection.

The archive contains a Delphi-based dropper that launches Poco RAT, which then connects to a command-and-control server, giving attackers complete control over infected systems.

## Poco RAT Capabilities

Named for its use of POCO libraries in its C++ codebase, Poco RAT supports various commands including:

– Sending collected system data to the C2 server
– Transmitting active window titles
– Downloading and executing files
– Capturing screenshots
– Running commands via cmd.exe

Notably, Poco RAT lacks a built-in persistence mechanism, suggesting attackers either issue commands to establish persistence later or use it as an initial access tool before deploying their primary payload.

Keywords: cyber espionage, Dark Caracal, Poco RAT, Latin America phishing, remote access trojan, APT malware

Share This Article

Exposed: Dark Caracal’s Sophisticated Espionage Campaign Targets Latin American Businesses with Poco RAT

Related Articles

Urgent Alert: Booking.com Phishing Scam Uses “ClickFix” Trick to Deploy Dangerous Malware Against Hospitality Workers

Urgent Alert: Critical FreeType Vulnerability Actively Exploited in the Wild – What You Need to Know

Alert: Medusa Ransomware Strikes Over 300 U.S. Critical Infrastructure Organizations

Quick Links

Company

Get In Touch