Dark Caracal group might have refreshed its malware, researchers say | The Record from Recorded Future News

Campaigns linked to Bandook and Poco RAT share key traits, researchers said, including the use of blurred decoy documents, link-shortening services and legitimate cloud storage for payload distribution, which can make operations harder to detect. The hacker group Dark Caracal appears to be shifting to newer malware in an espionage campaign targeting individuals in Latin America, researchers said. The findings suggest Dark Caracal — believed to operate as a mercenary group conducting espionage and financially motivated hacks for hire— may be replacing the older malware in its operations, the researchers said. Poco RAT shares distinct similarities with Bandook, the signature malware of Dark Caracal, the researchers said. Dark Caracal has been linked to data exfiltration nearly two dozen countries, targeting government institutions, military organizations, activists, journalists and businesses. Moscow-based cybersecurity firm Positive Technologies reported detecting 483 samples of Poco RAT in networks mostly in Venezuela, the Dominican Republic and Chile from June 2024 until February. An analysis of decoy documents and industries impersonated in the group’s latest campaign reinforces another key takeaway, researchers said: “This isn't just about espionage. The Poco RAT detections marked a sharp increase in the 355 cases of Bandook that Positive Technologies found between February 2023 and September 2024. Positive Technologies has been sanctioned by the U.S. and the European Union over alleged ties to Russian intelligence and involvement in related cyber activities, but it retains a wide range of customers outside those areas. Poco RAT is a credential-harvesting remote access trojan that allows attackers to spy on victims, execute commands and install additional malware. In the latest Poco RAT campaign, the hackers used phishing emails impersonating financial institutions and business service providers. When opened, the files redirected users to links that triggered an automatic malware download from legitimate cloud storage services.

This Cyber News was published on therecord.media. Publication date: Tue, 04 Mar 2025 14:00:16 +0000