{
	"id": "8dc32376-154f-4668-931e-62d2364465b1",
	"created_at": "2026-04-06T00:10:11.801965Z",
	"updated_at": "2026-04-10T03:34:15.999447Z",
	"deleted_at": null,
	"sha1_hash": "7603c1d822183ce69a4a061065d8ea5483a5525c",
	"title": "The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1125169,
	"plain_text": "The evolution of Dark Caracal tools: analysis of a campaign featuring\r\nPoco RAT\r\nBy Positive Technologies\r\nPublished: 2025-02-28 · Archived: 2026-04-05 23:11:06 UTC\r\nDetected attacks\r\nThroughout 2024, PT ESC's cyber threat intelligence systems monitored a campaign deploying Poco RAT against corporate\r\nnetworks. The phishing emails and malicious attachments were written in Spanish, pointing to a clear focus on Spanish-speaking users. The attack chain is illustrated in the diagram below:\r\nFigure 1. The Dark Caracal attack chain\r\nThe victim receives an email claiming an outstanding invoice requires payment.\r\nFigure 2. Phishing email with a PDF decoy\r\nAn analysis of the attached decoy documents identified the industries that attackers mimic to make their schemes more\r\nconvincing.\r\nThe email attachment includes a decoy document, usually in PDF format, though HTML versions appear occasionally.\r\nIt is designed to imitate documents from organizations in the targeted industries.\r\nTools such as Adobe Acrobat Pro DC and Canva are commonly used to create these files.\r\nMetadata analysis has uncovered author and user names (PDF:Author), including \"trabajo\", Rene Perez, Keneddy Cedeño,\r\nand Mr. Pickles. Aside from \"trabajo\", which translates to \"work\" in Spanish, these names provide an easy way to identify\r\ndecoy documents linked to the group.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat\r\nPage 1 of 8\n\nFigure 4. Metadata of a decoy document\r\nDecoy documents often slip past antivirus detection. Their filenames mimic financial transaction records between the victim\r\nand the impersonated organization. Blurred or low-quality visuals are common, possibly to lure less experienced users into\r\nopening them.\r\nOnce opened, the file redirects the victim to a link that triggers the automatic download of a .rev archive from legitimate\r\nfile-sharing services or cloud storage platforms. This approach makes it harder to detect and block the malware's source.\r\nFiles with the .rev extension are generated using WinRAR and were originally designed to reconstruct missing or corrupted\r\nvolumes in multi-part archives. Threat actors repurpose them as stealthy payload containers, helping malware evade security\r\ndetection.\r\nFigure 5. Antivirus scan of the PDF decoy\r\nTable 1. Examples of decoy document names\r\nFile name Translation\r\nCONFIRMAR COMPROBANTE DE PAGO#00315.pdf  Verify payment document\r\nFACTURA Global Supply Services, C.A.pdf Invoice Global Supply Services, C.A\r\nFACTURACION_DIGITALIZADA Industrias salineras\r\nc.a..pdf\r\nDigitized invoice of Industrias Salineras,\r\nc.a.\r\nRETENCION FALTANTE DE ABRIL solimsa.pdf Missing deductions for April solimsa\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat\r\nPage 2 of 8\n\nFigure 6. Decoy document impersonating a file from the Venezuelan company Zoom\r\nFigure 7. Decoy document impersonating a file from the Venezuelan bank BBVA Provincial\r\nThe threat group distributes malicious .rev archives using several methods:\r\nCloud storage services such as Google Drive and Dropbox. Link-shortening services like bit.ly, is.gd, ja.cat,\r\nand Rebrandly are used to obfuscate URLs.\r\nCDN storage solutions. Each attack uses a unique directory named after the impersonated organization or related\r\ndocuments. For example, a .rev archive labeled NUEVAFACTURA might be hosted at farmabienoctubre2024.b-cdn.net.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat\r\nPage 3 of 8\n\nInside these .rev archives, the dropper file mirrors the name of the decoy document, making it appear more legitimate to the\r\nvictim.\r\nPoco RAT in action\r\nPoco RAT is a backdoor designed to give attackers full control over an infected system. It allows them to navigate the file\r\nsystem, execute OS commands, launch executable files, and take screenshots. Every analyzed Poco RAT build has been\r\npacked with UPX (Ultimate Packer for Executables), shrinking the average file size from 24 MB to 13 MB. The size\r\nincrease comes from its use of POCO, an open-source C++ library set built for network and internet applications.\r\nThe malware keeps an eye on itself by running a separate monitoring thread. Its activity falls into two distinct states:\r\nChecking time refers to monitoring how long the malware has been active, while collecting timestamps\r\nand assessing the system environment.\r\nDisconnecting you now is the state in which the connection with the victim's system is severed. This could indicate\r\nthat the malware is shutting down or trying to avoid detection.\r\nOnce deployed, Poco RAT determines which command and control (C2) server to connect to. After establishing a link,\r\nthe server regularly pings the malware with heartbeat messages to maintain persistence. Poco RAT then pulls system\r\ninformation using standard WinAPI functions, gathering:\r\nUsername\r\nComputer name\r\nWindows OS version\r\nFree disk space\r\nAvailable physical memory (RAM)\r\nCurrent system time\r\nBefore reporting back to its C2 server, the malware checks if it's running in a virtualized environment. It looks\r\nfor VirtualBox by scanning the registry path SOFTWARE\\Oracle\\VirtualBox and probes port 0×5658, a telltale sign\r\nof VMware. If nothing raises red flags, it sends all collected data to the server.\r\nThe gathered information is packed into a structured buffer, separated by the delimiter @\u0026). An example format looks like\r\nthis:\r\nN35*@\u0026)username*@\u0026)pc_name*@\u0026)win_ver*@\u0026)free_disk_space*@\u0026)ram*@\u0026)time*@\u0026)\r\nThe table below outlines the full set of commands that Poco RAT can execute.\r\nTable 2. Command list\r\nID Description\r\nT-01 Send collected system data to the C2 server. This happens automatically when the malware starts.\r\nT-02 Retrieve and transmit the active window title to the C2 server.\r\nT-03 Download and execute an executable file on the compromised machine.\r\nT-04 Download a file to the compromised machine without executing it.\r\nT-05 Capture a screenshot and send it to the C2 server.\r\nT-06 Execute a command in cmd.exe and send the output to the C2 server.\r\nPoco RAT does not come with a built-in persistence mechanism. Once initial reconnaissance is complete, the server likely\r\nissues a command to establish persistence, or attackers may use Poco RAT as a stepping stone to deploy the primary\r\npayload.\r\nNetwork infrastructure analysis\r\nAn investigation into the campaign's network infrastructure uncovered the C2 servers communicating with the malware\r\nsamples. Scanning results showed no open ports, active services, or linked domain names.\r\nTable 3. C2 server activity\r\nIP Address First File Detection Date Last File Detection Date \r\n94.131.119.126 24.01.2024 09.08.2024\r\n185.216.68.121 16.09.2024 11.11.2024\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat\r\nPage 4 of 8\n\nIP Address First File Detection Date Last File Detection Date \r\n193.233.203.63 13.11.2024 22.01.2025\r\nOver the past year, analysis of malware samples interacting with these C2 servers has made it possible to track the threat\r\ngroup's movement from one server to the next.\r\nDespite the absence of visible open ports, the malware establishes connections with C2 servers through specific ports:\r\n94.131.119.126 — 6541, 6542, 6543\r\n185.216.68.121 — 6212\r\n193.233.203.63 — 6215, 6211\r\nWho are Dark Caracal and what are they after\r\nDark Caracal has been in the cyber-mercenary business since 2012. It runs attacks for hire, going after government\r\ninstitutions, military organizations, activists, journalists, and commercial entities.\r\nThe group relies on Bandook, a remote access trojan that has seen multiple modifications over the years. It remains\r\na flexible and effective tool for targeted operations. Unlike malware floating around underground forums, Bandook is off-limits to outsiders. Only Dark Caracal is known to use it.\r\nA campaign linked to the group surfaced in 2023. It targeted Latin American countries, including Venezuela\r\nand the Dominican Republic. The operation followed a familiar pattern, continuing attacks that researchers had previously\r\ndocumented. In 2018, reports from EFF and Lookout exposed similar tactics.\r\nCommand-and-control server addresses linked to Dark Caracal are listed in the table below.\r\nTable 4. Network infrastructure\r\nIP Address First File Detection Date Last File Detection Date\r\n83.97.20.153 17.02.2023 23.07.2023\r\n45.67.34.219 26.09.2023 20.11.2023\r\n185.10.68.52 05.07.2023 04.06.2024\r\n77.91.100.237 03.11.2023 23.02.2024\r\n185.216.68.143 06.02.2024 01.08.2024\r\n194.48.248.72 19.07.2024 26.09.2024\r\nThe network infrastructures behind Poco RAT and Bandook campaigns operated within the same Autonomous Systems\r\n(AS). This overlap reinforces the connection between the two malware families and their operators.\r\nTable 5. AS overlap in campaigns\r\nAS Poco RAT Bandook\r\n200019, AlexHost SRL 185.216.68.121, 193.233.203.63 185.216.68.143, 194.48.248.72\r\n44477, Stark Industries Ltd. 94.131.119.126 77.91.100.237, 45.67.34.219\r\nFigure 13. Network activity of C2 servers in Bandook and Poco RAT campaigns\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat\r\nPage 5 of 8\n\nThe graph shows a clear pattern. As Bandook samples disappear, Poco RAT samples begin to surface, often using the same\r\nnetwork infrastructure. The timing suggests more than just coincidence. Dark Caracal may have decided to swap out its old\r\ntool for something new.\r\nCampaigns linked to Bandook and Poco RAT share a few signature traits. These include:\r\nBlurred decoy documents and link-shortening services\r\nLegitimate cloud storage services for payload distribution\r\nA focus on Spanish-speaking countries in Latin America\r\nSpanish-language content and financial transaction themes to make files look legitimate\r\nPT Sandbox\r\nYARA rules\r\napt_win_ZZ_DarkCaracal__Dropper__Bandook\r\nBehavioral rules (malware)\r\nTrojan.Win32.Inject.a\r\nTrojan.Win32.Generic.a\r\nTrojan-Downloader.Win32.PocoRAT.n\r\nBehavioral rules (suspicious)\r\nCreate.Process.Inject.ResumeThread\r\nWrite.Process.Inject.SetThreadContext\r\nMaxPatrol SIEM\r\nRun_Masquerading_Executable_File\r\nSuspicious_Connection\r\nSuspicious_Connection_After_Imageload\r\nSuspicious_File_Creation_From_Messenger_Or_Mail\r\nMalicious_Office_Document\r\nMITRE ATT\u0026CK MATRIX\r\nID Technique Description\r\nResource Development\r\nT1608.001\r\nStage Capabilities: Upload\r\nMalware\r\nDark Caracal uses legitimate cloud storage platforms, such\r\nas Dropbox, Amazon, and Google Drive, to store its\r\nmalware.\r\nT1583.003\r\nAcquire Infrastructure:\r\nVirtual Private Server\r\nDark Caracal rents and configures a VPS-based command-and-control (C2) server running Windows with an RDP\r\ninterface, hosted outside Latin America. Preferred\r\nproviders include Stark Industries Solutions Ltd. and\r\nAlexHost SRL.\r\nT1588.001\r\nObtain Capabilities:\r\nMalware\r\nDark Caracal uses a lightweight RAT based on Bandook.\r\nThe group uses obfuscated PDF and HTML documents as\r\nbait to lure victims.\r\nInitial Access\r\nT1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nDark Caracal sends phishing emails with lure documents\r\ncontaining links to download the malware.\r\nExecution\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat\r\nPage 6 of 8\n\nID Technique Description\r\nT1204.002\r\nUser Execution: Malicious\r\nFile\r\nThe group manipulates victims into launching Poco RAT\r\nby exploiting themes of financial obligations to an\r\norganization the group is impersonating.\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nPoco RAT uses the Windows command shell to execute\r\nremote commands.\r\nPrivilege Escalation\r\nT1055 Process Injection\r\nDark Caracal injects malicious Poco RAT code into\r\nlegitimate Windows processes, such as cttune.exe and\r\niexplore.exe.\r\nDefense Evasion\r\nT1027.013\r\nObfuscated Files or\r\nInformation:\r\nEncrypted/Encoded File\r\nDark Caracal encrypts Poco RAT using the Twofish\r\nalgorithm.\r\nT1027.002\r\nObfuscated Files\r\nor Information: Software\r\nPacking\r\nDark Caracal uses UPX to pack Poco RAT.\r\nT1055 Process Injection\r\nDark Caracal injects malicious code into legitimate\r\nWindows processes (cttune.exe and iexplore.exe).\r\nDiscovery\r\nT1082\r\nSystem Information\r\nDiscovery\r\nDark Caracal gathers detailed information about the\r\ninfected system's operating system and hardware.\r\nCommand and Control\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nDark Caracal exchanges encoded information about the\r\ninfected system with the C2 server.\r\nT1571 Non-Standard Port\r\nDark Caracal uses non-standard network ports (6541, 6542,\r\n6543, 6211, 6212, and 6215) on the C2 server to manage\r\ninfected hosts and extract data.\r\nT1665 Hide Infrastructure\r\nDark Caracal uses URL shortening services, such as bit.ly,\r\nis.gd, ja.cat, and Rebrandly.\r\nNetwork IoCs Poco RAT\r\nID Purpose\r\n94.131.119.126 C2 server\r\n185.216.68.121 C2 server\r\n193.233.203.63 C2 server\r\nNetwork IoCs Bandook\r\nID Purpose\r\n83.97.20.153 C2 server\r\n45.67.34.219 C2 server\r\n185.10.68.52 C2 server\r\n77.91.100.237 C2 server\r\n185.216.68.143 C2 server\r\n194.48.248.72 C2 server\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat\r\nPage 7 of 8\n\nMD5 SHA-1 SHA-256\r\na5073df86767ece0483da0316d66c15c d0661df945e8e36aa78472d4b60e181769a3f23b 05bf7db7debfeb56702ef1b421a336d8431c3f7334\r\n2a0f523b9e52890105ec6fbccd207dcd f3a495225dc34cdeba579fb0152e4ccba2e0ad42 08552f588eafceb0fa3117c99a0059fd06882a36cc1\r\ne0bf0aee954fd97457b28c9233253b0a ce611811d9200613c1a1083e683faec5187a9280 0d6822c93cb78ad0d2ad34ba9057a6c9de8784f55c\r\nec8746a1412d1bd1013dfe51de4b9fd1 f719b736ed6b3351d1846127afec8e0c68e54c1d 0fe11d78990590652f4d0f3afba5670e030b8ab714\r\nfea98ca977d35828e294b7b9cc55fea9 63b4d283eaf367122ce0dec9fc0e586e63ef0c78 0ffc7ae741bb90c7f8e442d89b985def9969ebf2934\r\nc41645cba3de5c25276650a2013cd32b d8021edcb42b6472dded45f7a028aff6dfe5aaa6 121d941ba5a6ff8d99558e0919f49b926fbcd00e30\r\n8778b9430947c46f68043666a71a2214 da3ea31e96fba64fcd840e930a99e705eb60c89b 12e849ffba407d5db756879fd257c4b736eb4b6ada\r\nd8ec2df77a01064244f376322ba5aaf1 ce60069d5fdef4acced66e6fc049f351c465ee1e 13306775fdf506b706693deccb44ec364fe04dbf3c\r\nbbfbd1ece4f4aa43d0c68a32d92b17e5 2ffdf164f6b8e2e403a86bd4d0f6260bf17fb154 1786f16a50a4255df8aa32f2e21f2829b4f8aaba2ce\r\n32c6c0d29593810f69d7c52047e49373 4bf76e731d655f67c9e78a616cf8b21002a53406 18ba3612b1f0dbd23f8ab39b2d096bab0ed3438b3\r\nBandook\r\nMD5 SHA1 SHA256\r\na2ea38d11bde2a4483b86321960d6319 5240860d0db91bd8e13a150676a3ab1917312c59 01e8536751080ea135c3ad7ae9187d06cdcccddfc\r\ne6f23ff5f55bcb05669732c6a519a75a 6adc9cbcc5d3ce969d982f70728fd09ec3419a45 032ff087debc175342e01a3bb205fbd7ab2e724ba\r\n27fabcf160575efc9ff6b7c93b35edd0 1d1f21745a5ea01cc3387099caae111a3cb79e6b 158255fa4a257953edf84323b4d7fef129ab55450\r\n8fe826ceee2242238f918e7bba5ba7e7 06813b2b554db0de2aa296d31f951fd0cccda7bb 1e7d86f9ff5fd50aeeeb04040baad0ac0d84347d60\r\na12d326845a96a03867b2b70ca8f12ee 3b1264d2e156a09142847b6a18f70a3267c406e2 21ff46a6fc9173fcc147d7a5c603032c662c6c1f1b\r\n40776099cf9098a626bae58763a503f6 43fc1530db54c356831f4fd96b81c1548c6b1a05 247b0725fc0935131537dd00eb454269f3dd5c8c9\r\nabe2aa641f49f924a8c5bed6915b33a6 c02d9f23d6bf627b77e72cc55551aba15701945c 26ee4581ec0d064a1296e8178b016249977a483fc\r\n18d4b1fb0a643fa86e815a3464c48f65 8bddb48d29fb06b15a3314f2a1afc2839a22d5ce 302c707321abc9eca4d14171a33c9c5207711d2a1\r\n5a21405b06a11ee03c24cc79ef910c3d 388371ea56bd79813ef53152220d7c64396528ea 3c099ec7363407c9fb742beca81f97ecca93807e0f\r\n812267e367c58c04d7c4800aa0f64603 dd75522dc6f64a9fa12723b8978cc682217056da 3cc284cecc3a8513d8ba664f88c1164312c049822\r\nDecoy documents\r\nMD5 SHA-1 SHA-256\r\n2ecada671f172d4142e66e40d6d70b1b 2d30ce50578b95eed8feb093e0b8170a9d0b8994 918309457c875042e044510966083575a1635e977\r\nb179ead57646353b0460a578f206c9af 256fca02ae02ffa70e6ea54e6cb43b877486ee6b 0864b87a18356bbe93b2e10f1deee5d4b705fc8248\r\n5a4dd46d2eda27f97f88c2d4c5797114 4982c139f6627c991c426827088baf25f345ab97 57358c9f7f38a9364884cdcc4919ec3f7c71f147e43\r\n26e11dfbfc87bed3a47099b0d4131868 617d867fcf5919a33c7b402ea85c6dbc03075fc3 e5ce11d9bdc7433f713a6f7bd1c05b0a98355ad8a9\r\na4a846ef5641949f1d6033537c719ffc 6fc2f4194e65dc8e4a29e71ca87ba3960df60fbe a6ac2fd5dc59f5300c930b3fd5ffd6ed6e4dc27a270\r\nf23043993fa2d4c4e4f04fb579c9745e 859c391e2181034eadc4d07ac1a58b73e358432d 8a0beec469a4373a2ebb4b21f013c33e3d2c539514\r\n8daa10aa4ff65bb5e274a79df6aae004 b4c0700a6d325c439ca48c570c6736f6b3fce308 c8d20ae481f17de8606b92ab3170daea423081bf85\r\nf5297dde39cda6b8423131af8f9220bd 11a892c4e2a67807ac161f9752a68f900dfb9b6a 289757c325556561c88a3918f3cc04251dc1d2fe2d\r\n132a8a7c6a43ab61c6e9363f9c893905 baa2a99c0d53241324505d435908acf9506774d6 e5bc162807af900cf73a3f9a3e4cc1c5b10f774f44b\r\n0c4f220e1c2fb895e0ca5cbdc17d202e 605c4887f774e2f25d9601beea26ac383cd25293 d633aeb1600c3d02bd21df94ee70fdf78d722e21df\r\nSource: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat"
	],
	"report_names": [
		"the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat"
	],
	"threat_actors": [
		{
			"id": "8de10e16-817c-4907-bd98-b64cf4a3e77b",
			"created_at": "2022-10-25T15:50:23.552766Z",
			"updated_at": "2026-04-10T02:00:05.362919Z",
			"deleted_at": null,
			"main_name": "Dark Caracal",
			"aliases": [
				"Dark Caracal"
			],
			"source_name": "MITRE:Dark Caracal",
			"tools": [
				"FinFisher",
				"CrossRAT",
				"Bandook"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4a62c0be-1583-4d82-8f91-46e3a1c114e6",
			"created_at": "2023-01-06T13:46:38.73639Z",
			"updated_at": "2026-04-10T02:00:03.083265Z",
			"deleted_at": null,
			"main_name": "Dark Caracal",
			"aliases": [
				"G0070"
			],
			"source_name": "MISPGALAXY:Dark Caracal",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "af704c54-a580-4c29-95f2-82db06fbb6f9",
			"created_at": "2022-10-25T16:07:23.525064Z",
			"updated_at": "2026-04-10T02:00:04.64019Z",
			"deleted_at": null,
			"main_name": "Dark Caracal",
			"aliases": [
				"ATK 27",
				"G0070",
				"Operation Dark Caracal",
				"TAG-CT3"
			],
			"source_name": "ETDA:Dark Caracal",
			"tools": [
				"Bandok",
				"Bandook",
				"CrossRAT",
				"FinFisher",
				"FinFisher RAT",
				"FinSpy",
				"Pallas",
				"Trupto"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434211,
	"ts_updated_at": 1775792055,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7603c1d822183ce69a4a061065d8ea5483a5525c.pdf",
		"text": "https://archive.orkl.eu/7603c1d822183ce69a4a061065d8ea5483a5525c.txt",
		"img": "https://archive.orkl.eu/7603c1d822183ce69a4a061065d8ea5483a5525c.jpg"
	}
}