Thursday, May 8, 2025
Homecyber securityNew Poco RAT Via Weaponized PDF Attacking Users to Capture Sensitive Data

New Poco RAT Via Weaponized PDF Attacking Users to Capture Sensitive Data

Published on

SIEM as a Service

Follow Us on Google News

A new variant of malware, dubbed “Poco RAT,” has emerged as a potent espionage tool in a campaign targeting Spanish-speaking users in Latin America.

Security researchers at Positive Technologies Expert Security Center (PT ESC) have linked this malware to the notorious Dark Caracal group, known for its cyber-mercenary operations.

The campaign employs weaponized PDF files as phishing decoys to infiltrate corporate networks and extract sensitive information.

- Advertisement - Google News

Weaponized PDFs: A Stealthy Entry Point

The attack begins with phishing emails containing malicious PDF attachments disguised as legitimate financial documents.

These decoy files often mimic invoices or payment confirmations from well-known organizations, leveraging blurred visuals and metadata manipulation to evade detection.

Poco RAT
Metadata of a decoy document

Once opened, the PDFs redirect victims to download a .rev archive from legitimate cloud services like Google Drive or Dropbox.

Inside the archive lies a dropper that executes Poco RAT while avoiding disk writes, making it harder for traditional antivirus solutions to detect.

Poco RAT’s Espionage Capabilities

Poco RAT is a sophisticated backdoor built using POCO C++ libraries, enabling attackers to:

  • Execute system commands
  • Capture screenshots
  • Navigate file systems
  • Manipulate system processes

The malware also collects detailed system information, including usernames, OS versions, and available memory, before transmitting it to command-and-control (C2) servers.

To maintain persistence and evade detection, Poco RAT checks for virtualized environments and uses encrypted communication channels.

Dark Caracal’s Evolving Tactics

Dark Caracal continues to refine its methods by integrating Poco RAT into its arsenal.

Poco RAT
The Dark Caracal attack chain

According to the Report, this group has a history of using Bandook-based backdoors but appears to be transitioning to Poco RAT for its enhanced capabilities.

Both malware families share similar tactics, such as process injection and dynamic API resolution, making them challenging to analyze.

The infrastructure supporting Poco RAT operations reveals a focus on Latin America, with most attacks originating from Venezuela, Colombia, and Chile.

The group employs legitimate services and URL shorteners to mask malicious payloads further.

The emergence of Poco RAT underscores the evolving sophistication of cyber threats targeting specific regions and industries.

With its robust espionage features and stealthy delivery mechanisms, this malware poses significant risks to corporate networks.

Organizations are advised to strengthen their defenses against phishing attacks and monitor network traffic for indicators of compromise linked to Dark Caracal’s campaigns.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Latest articles

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically...

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically...

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...