Team CryptoInsightfull 
The hacker group Dark Caracal appears to be shifting to newer malware in an espionage campaign targeting individuals in Latin America, researchers said.
Moscow-based cybersecurity firm Positive Technologies reported detecting 483 samples of Poco RAT in networks mostly in Venezuela, the Dominican Republic and Chile from June 2024 until February. Poco RAT shares distinct similarities with Bandook, the signature malware of Dark Caracal, the researchers said.
The Poco RAT detections marked a sharp increase in the 355 cases of Bandook that Positive Technologies found between February 2023 and September 2024. The findings suggest Dark Caracal — believed to operate as a mercenary group conducting espionage and financially motivated hacks for hire— may be replacing the older malware in its operations, the researchers said.
Positive Technologies has been sanctioned by the U.S. and the European Union over alleged ties to Russian intelligence and involvement in related cyber activities, but it retains a wide range of customers outside those areas.
In the latest Poco RAT campaign, the hackers used phishing emails impersonating financial institutions and business service providers. Victims received messages notifying them of overdue invoices, with attachments designed to resemble official documents. When opened, the files redirected users to links that triggered an automatic malware download from legitimate cloud storage services.
Poco RAT is a credential-harvesting remote access trojan that allows attackers to spy on victims, execute commands and install additional malware. It has been in use since 2022 and has primarily targeted the mining, manufacturing and hospitality sectors in Latin America. However, it wasn’t previously attributed to Dark Caracal.
Campaigns linked to Bandook and Poco RAT share key traits, researchers said, including the use of blurred decoy documents, link-shortening services and legitimate cloud storage for payload distribution, which can make operations harder to detect.
Dark Caracal has been linked to data exfiltration nearly two dozen countries, targeting government institutions, military organizations, activists, journalists and businesses.
The group’s attack methodology has remained consistent over the years, relying on custom-built tools unavailable to other cybercriminals.
An analysis of decoy documents and industries impersonated in the group’s latest campaign reinforces another key takeaway, researchers said: “This isn’t just about espionage. Financial motives are likely driving the campaign.”
Recorded Future
Intelligence Cloud.
