According to recent findings, the Dark Caracal threat actor has been linked to a campaign in 2024 that utilized a remote access trojan known as Poco RAT in attacks targeting Spanish-speaking targets in Latin America.
Positive Technologies, a Russian cybersecurity firm, has described the malware as being equipped with a comprehensive suite of espionage features, including the ability to upload files, capture screenshots, execute commands, and manipulate system processes, as stated by researchers Denis Kazakov and Sergey Samokhin in a technical report published last week.
Poco RAT was previously documented by Cofense in July 2024, which detailed phishing attacks aimed at the mining, manufacturing, hospitality, and utilities sectors. The infection chains involve the use of finance-themed lures that trigger a multi-step process to deploy the malware.
At the time of its initial discovery, the campaign was not attributed to any specific threat actor. However, Positive Technologies has identified overlaps in tradecraft with Dark Caracal, an advanced persistent threat (APT) known for operating malware families such as CrossRAT and Bandook, which has been operational since at least 2012.
In 2021, Dark Caracal was tied to a cyber espionage campaign known as Bandidos, which delivered an updated version of the Bandook malware against Spanish-speaking countries in South America.
The latest set of attacks continues to focus on Spanish-speaking users, leveraging phishing emails with invoice-related themes that include malicious attachments written in Spanish as a starting point. An analysis of Poco RAT artifacts indicates that the intrusions are primarily targeting enterprises in Venezuela, Chile, the Dominican Republic, Colombia, and Ecuador.
The attached decoy documents impersonate a wide range of industry verticals, including banking, manufacturing, healthcare, pharmaceuticals, and logistics, in an attempt to lend the scheme a degree of believability.
Upon opening the files, victims are redirected to a link that triggers the download of a .rev archive from legitimate file-sharing services or cloud storage platforms such as Google Drive and Dropbox.
According to the researchers, “Files with the .rev extension are generated using WinRAR and were originally designed to reconstruct missing or corrupted volumes in multi-part archives. Threat actors repurpose them as stealthy payload containers, helping malware evade security detection.”
Present within the archive is a Delphi-based dropper responsible for launching Poco RAT, which establishes contact with a remote server and grants attackers full control over compromised hosts. The malware’s name is derived from its use of POCO libraries in its C++ codebase.
Some of the supported commands by Poco RAT include:
- T-01 – Send collected system data to the command-and-control (C2) server
- T-02 – Retrieve and transmit the active window title to the C2 server
- T-03 – Download and run an executable file
- T-04 – Download a file to the compromised machine
- T-05 – Capture a screenshot and send it to the C2 server
- T-06 – Execute a command in cmd.exe and send the output to the C2 server
As noted by the researchers, “Poco RAT does not come with a built-in persistence mechanism. Once initial reconnaissance is complete, the server likely issues a command to establish persistence, or attackers may use Poco RAT as a stepping stone to deploy the primary payload.”
