Follow on X RSS Feed
Malware

Dark Caracal Deploying Poco RAT in Latin America

Cybersec Sentinel

3 min read
Dark Caracal Deploying Poco RAT in Latin America

Threat Group: Dark Caracal
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: Social engineering via phishing emails
Malware Used: Poco RAT
Threat Score: High (8.5/10) – Due to its focus on critical infrastructure, advanced evasion techniques, and targeted regional attacks.
Last Threat Observation: March 6, 2025

Overview

Poco RAT is a sophisticated Remote Access Trojan (RAT) recently attributed to the cyber-mercenary group Dark Caracal. Active since at least 2012, Dark Caracal has previously been linked to malware strains such as Bandook and CrossRAT.

According to Positive Technologies, Poco RAT features a comprehensive espionage toolkit, including the ability to:

  • Upload and download files
  • Capture screenshots
  • Execute arbitrary commands
  • Manipulate system processes

Recent intelligence from 2024 shows that Poco RAT shares tradecraft and infrastructure with earlier Dark Caracal operations, solidifying its attribution to this threat actor. The campaign is regionally focused on Latin America, with confirmed attacks in Venezuela, Chile, the Dominican Republic, Colombia, and Ecuador. The mining, manufacturing, hospitality, and utilities sectors have been primary targets.

Positive Technologies reported 483 Poco RAT detections from June 2024 to February 2025, a significant increase from the 355 Bandook cases in the prior period. This suggests Dark Caracal is shifting towards using Poco RAT as a replacement or enhancement for its older Bandook toolkit.

Key Details

  • Delivery Method: Phishing emails impersonating financial institutions or service providers, using invoice-themed lures in Spanish.
  • Target: Enterprises in Latin America, specifically in mining, manufacturing, hospitality, and utilities sectors.
  • Functions:
    • Upload and download files
    • Capture screenshots
    • Execute remote system commands
    • Manipulate system processes
    • Collect system and network information
  • Obfuscation: Utilizes .rev archive files and legitimate cloud services (Google Drive, Dropbox) to evade detection.

Attack Vectors

Dark Caracal deploys Poco RAT via phishing emails that contain malicious PDF attachments or links leading to cloud-hosted .rev archive files. These archives contain a Delphi-based dropper, which injects the RAT payload directly into system memory, avoiding traditional disk-based detection methods.

A notable technique involves embedding shortened URLs inside PDF attachments, redirecting victims to cloud storage links that host malicious archives. The malware's dropper uses metadata manipulation to masquerade as legitimate software, often claiming to be from companies like Disney, Lockheed Martin, or Morgan Stanley.

Known Indicators of Compromise (IoCs)

IP Addresses

  • 185[.]10[.]68[.]52
  • 45[.]67[.]34[.]219
  • 77[.]91[.]100[.]237
  • 94[.]131[.]119[.]126
  • 185[.]216[.]68[.]121
  • 193[.]233[.]203[.]63

MD5 Hashes

  • a5073df86767ece0483da0316d66c15c
  • 2a0f523b9e52890105ec6fbccd207dcd
  • e0bf0aee954fd97457b28c9233253b0a
  • bbfbd1ece4f4aa43d0c68a32d92b17e5
  • a2ea38d11bde2a4483b86321960d6319
  • a12d326845a96a03867b2b70ca8f12ee

SHA-256 Hashes

  • 05bf7db7debfeb56702ef1b421a336d8431c3f7334187d2ccd6ba34816a3fd5a
  • 08552f588eafceb0fa3117c99a0059fd06882a36cc162a01575926736d4a80eb
  • 0d6822c93cb78ad0d2ad34ba9057a6c9de8784f55caa6a8d8af77fed00f0da0a
  • 1786f16a50a4255df8aa32f2e21f2829b4f8aaba2ced3e4a7670846205b3ac70
  • 01e8536751080ea135c3ad7ae9187d06cdcccddfc89bc0d41ea4281eeb3e9fb4
  • 21ff46a6fc9173fcc147d7a5c603032c662c6c1f1b05c1bb1e30e20e168bb056

SHA1 Hashes

  • d0661df945e8e36aa78472d4b60e181769a3f23b
  • f3a495225dc34cdeba579fb0152e4ccba2e0ad42
  • ce611811d9200613c1a1083e683faec5187a9280
  • 2ffdf164f6b8e2e403a86bd4d0f6260bf17fb154
  • 5240860d0db91bd8e13a150676a3ab1917312c59
  • 3b1264d2e156a09142847b6a18f70a3267c406e2

Suspicious Domains & URLs

  • drive[.]google[.]com
  • dropbox[.]com
  • Various URL shorteners (bit[.]ly, t[.]co, tinyurl[.]com)

Behavioral Patterns:

  • Process injection into Internet Explorer (iexplore.exe) or cttune.exe
  • Memory-only execution, avoiding disk-based detection
  • Use of Twofish encryption with Base64 encoding
  • Anti-analysis techniques to detect virtual environments
  • High-port TCP communication (6211–6543) with structured system profiling

Mitigation and Prevention

  • User Awareness: Conduct phishing awareness training, particularly for finance and HR personnel.
  • Email Filtering: Implement advanced filtering to block phishing emails containing suspicious links or attachments.
  • Endpoint Protection: Deploy EDR solutions capable of detecting in-memory threats and process injection behavior.
  • Network Monitoring: Monitor for outbound connections to known IoCs, especially unusual high-port communications.
  • Threat Hunting: Search for abnormal process execution and injection into iexplore.exe.
  • Regular Updates: Ensure all software and security solutions are up to date to prevent exploitation.

Conclusion

Poco RAT represents an evolving cyber threat with a strong focus on Spanish-speaking enterprises in Latin America. Its reliance on trusted cloud services and memory injection techniques makes it particularly stealthy and challenging to detect. Organizations must remain vigilant by implementing layered security defenses, employee awareness programs, and proactive threat-hunting measures.

Sources