A new variant of malware, dubbed “Poco RAT,” has emerged as a potent espionage tool in a campaign targeting Spanish-speaking users in Latin America.
Security researchers at Positive Technologies Expert Security Center (PT ESC) have linked this malware to the notorious Dark Caracal group, known for its cyber-mercenary operations.
The campaign employs weaponized PDF files as phishing decoys to infiltrate corporate networks and extract sensitive information.
The attack begins with phishing emails containing malicious PDF attachments disguised as legitimate financial documents.
These decoy files often mimic invoices or payment confirmations from well-known organizations, leveraging blurred visuals and metadata manipulation to evade detection.
Once opened, the PDFs redirect victims to download a .rev archive from legitimate cloud services like Google Drive or Dropbox.
Inside the archive lies a dropper that executes Poco RAT while avoiding disk writes, making it harder for traditional antivirus solutions to detect.
Poco RAT is a sophisticated backdoor built using POCO C++ libraries, enabling attackers to:
The malware also collects detailed system information, including usernames, OS versions, and available memory, before transmitting it to command-and-control (C2) servers.
To maintain persistence and evade detection, Poco RAT checks for virtualized environments and uses encrypted communication channels.
Dark Caracal continues to refine its methods by integrating Poco RAT into its arsenal.
According to the Report, this group has a history of using Bandook-based backdoors but appears to be transitioning to Poco RAT for its enhanced capabilities.
Both malware families share similar tactics, such as process injection and dynamic API resolution, making them challenging to analyze.
The infrastructure supporting Poco RAT operations reveals a focus on Latin America, with most attacks originating from Venezuela, Colombia, and Chile.
The group employs legitimate services and URL shorteners to mask malicious payloads further.
The emergence of Poco RAT underscores the evolving sophistication of cyber threats targeting specific regions and industries.
With its robust espionage features and stealthy delivery mechanisms, this malware poses significant risks to corporate networks.
Organizations are advised to strengthen their defenses against phishing attacks and monitor network traffic for indicators of compromise linked to Dark Caracal’s campaigns.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
Google is rolling out a new privacy-focused feature called Shielded Email, designed to prevent apps and…
Cybersecurity experts are warning of an increasing trend in fileless attacks, where hackers leverage PowerShell…
Unit 42 researchers have observed a threat actor group known as JavaGhost exploiting misconfigurations in…
The United States has suspended offensive cyber operations against Russia under an order issued by…
Cybersecurity researchers have uncovered a sophisticated phishing campaign leveraging Google Ads and PayPal’s infrastructure to…
A new campaign involving the notorious remote access trojan (RAT) Njrat has been uncovered, leveraging…