New Poco RAT Via Weaponized PDF Attacking Users to Capture Sensitive Data

A new variant of malware, dubbed “Poco RAT,” has emerged as a potent espionage tool in a campaign targeting Spanish-speaking users in Latin America.

Security researchers at Positive Technologies Expert Security Center (PT ESC) have linked this malware to the notorious Dark Caracal group, known for its cyber-mercenary operations.

The campaign employs weaponized PDF files as phishing decoys to infiltrate corporate networks and extract sensitive information.

Weaponized PDFs: A Stealthy Entry Point

The attack begins with phishing emails containing malicious PDF attachments disguised as legitimate financial documents.

These decoy files often mimic invoices or payment confirmations from well-known organizations, leveraging blurred visuals and metadata manipulation to evade detection.

Once opened, the PDFs redirect victims to download a .rev archive from legitimate cloud services like Google Drive or Dropbox.

Inside the archive lies a dropper that executes Poco RAT while avoiding disk writes, making it harder for traditional antivirus solutions to detect.

Poco RAT’s Espionage Capabilities

Poco RAT is a sophisticated backdoor built using POCO C++ libraries, enabling attackers to:

• Execute system commands
• Capture screenshots
• Navigate file systems
• Manipulate system processes

The malware also collects detailed system information, including usernames, OS versions, and available memory, before transmitting it to command-and-control (C2) servers.

To maintain persistence and evade detection, Poco RAT checks for virtualized environments and uses encrypted communication channels.

Dark Caracal’s Evolving Tactics

Dark Caracal continues to refine its methods by integrating Poco RAT into its arsenal.

According to the Report, this group has a history of using Bandook-based backdoors but appears to be transitioning to Poco RAT for its enhanced capabilities.

Both malware families share similar tactics, such as process injection and dynamic API resolution, making them challenging to analyze.

The infrastructure supporting Poco RAT operations reveals a focus on Latin America, with most attacks originating from Venezuela, Colombia, and Chile.

The group employs legitimate services and URL shorteners to mask malicious payloads further.

The emergence of Poco RAT underscores the evolving sophistication of cyber threats targeting specific regions and industries.

With its robust espionage features and stealthy delivery mechanisms, this malware poses significant risks to corporate networks.

Organizations are advised to strengthen their defenses against phishing attacks and monitor network traffic for indicators of compromise linked to Dark Caracal’s campaigns.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free