{
	"id": "b217e3b6-c6bc-4ab5-968e-ae745bc71436",
	"created_at": "2026-04-06T00:15:26.389585Z",
	"updated_at": "2026-04-10T13:12:27.736059Z",
	"deleted_at": null,
	"sha1_hash": "80e89a43049c4df9eb3c058ee3d3f5b02b870d7d",
	"title": "New Poco RAT distribution campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37756,
	"plain_text": "New Poco RAT distribution campaign\r\nArchived: 2026-04-05 23:50:36 UTC\r\nA new campaign distributing Poco RAT to Spanish-speaking users in Latin America has been reported in the wild.\r\nThe campaign has been attributed to the Darkling APT (aka Dark Caracal). The group is known to leverage\r\nBandook-based backdoors in their attacks. The Poco RAT malware is spread via phish email messages containing\r\nmalicious PDF attachments. The attached files redirect the victims to the download of .rev files from often\r\nlegitimate file-sharing services. The downloaded .rev files lead in turn to execution of malware droppers that\r\ninfect the targeted endpoints with the Poco RAT payload. The dropped payloads provide the attackers with remote\r\ncontrol of the compromised machine, command execution and system information collection, among others.\r\nSymantec protects you from this threat, identified by the following:\r\nAdaptive-based\r\nACM.Untrst-RunSys!g1\r\nBehavior-based\r\nAGR.Terminate!g5\r\nSONAR.SuspOpen!gen11\r\nSONAR.TCP!gen1\r\nCarbon Black-based\r\nAssociated malicious indicators are blocked and detected by existing policies within VMware Carbon\r\nBlack products. The recommended policy at a minimum is to block all types of malware from executing\r\n(Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit from\r\nVMware Carbon Black Cloud reputation service.\r\nEmail-based\r\nCoverage is in place for Symantec's email security products and Email Threat Isolation (ETI) technology\r\nprovides an extra layer of protection for our customers.\r\nFile-based\r\nInfostealer.Bancos\r\nPhish.Pdf\r\nPUA.Gen.2\r\nTrojan Horse\r\nTrojan.Gen.MBT\r\nWeb.Reputation.1\r\nWS.Malware.2\r\nhttps://www.broadcom.com/support/security-center/protection-bulletin/new-poco-rat-distribution-campaign\r\nPage 1 of 2\n\nWS.SecurityRisk.3\r\nMachine Learning-based\r\nHeur.AdvML.A!300\r\nHeur.AdvML.A!400\r\nHeur.AdvML.A!500\r\nHeur.AdvML.B!100\r\nHeur.AdvML.B!200\r\nWeb-based\r\nObserved domains/IPs are covered under security categories in all WebPulse enabled products\r\nSource: https://www.broadcom.com/support/security-center/protection-bulletin/new-poco-rat-distribution-campaign\r\nhttps://www.broadcom.com/support/security-center/protection-bulletin/new-poco-rat-distribution-campaign\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.broadcom.com/support/security-center/protection-bulletin/new-poco-rat-distribution-campaign"
	],
	"report_names": [
		"new-poco-rat-distribution-campaign"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8de10e16-817c-4907-bd98-b64cf4a3e77b",
			"created_at": "2022-10-25T15:50:23.552766Z",
			"updated_at": "2026-04-10T02:00:05.362919Z",
			"deleted_at": null,
			"main_name": "Dark Caracal",
			"aliases": [
				"Dark Caracal"
			],
			"source_name": "MITRE:Dark Caracal",
			"tools": [
				"FinFisher",
				"CrossRAT",
				"Bandook"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4a62c0be-1583-4d82-8f91-46e3a1c114e6",
			"created_at": "2023-01-06T13:46:38.73639Z",
			"updated_at": "2026-04-10T02:00:03.083265Z",
			"deleted_at": null,
			"main_name": "Dark Caracal",
			"aliases": [
				"G0070"
			],
			"source_name": "MISPGALAXY:Dark Caracal",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "af704c54-a580-4c29-95f2-82db06fbb6f9",
			"created_at": "2022-10-25T16:07:23.525064Z",
			"updated_at": "2026-04-10T02:00:04.64019Z",
			"deleted_at": null,
			"main_name": "Dark Caracal",
			"aliases": [
				"ATK 27",
				"G0070",
				"Operation Dark Caracal",
				"TAG-CT3"
			],
			"source_name": "ETDA:Dark Caracal",
			"tools": [
				"Bandok",
				"Bandook",
				"CrossRAT",
				"FinFisher",
				"FinFisher RAT",
				"FinSpy",
				"Pallas",
				"Trupto"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434526,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80e89a43049c4df9eb3c058ee3d3f5b02b870d7d.pdf",
		"text": "https://archive.orkl.eu/80e89a43049c4df9eb3c058ee3d3f5b02b870d7d.txt",
		"img": "https://archive.orkl.eu/80e89a43049c4df9eb3c058ee3d3f5b02b870d7d.jpg"
	}
}