{
	"id": "989cc469-9da4-47e4-8704-3b937d68c249",
	"created_at": "2026-04-06T01:30:40.365774Z",
	"updated_at": "2026-04-10T03:34:16.021112Z",
	"deleted_at": null,
	"sha1_hash": "99af637aa402063462556560e1745ba743af8711",
	"title": "Dark Caracal: You Missed a Spot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43745,
	"plain_text": "Dark Caracal: You Missed a Spot\r\nBy Cooper Quintin and Eva Galperin\r\nPublished: 2020-12-10 · Archived: 2026-04-06 00:48:32 UTC\r\nSecurity researchers at EFF have tracked APTs (Advanced Persistent Threats) targeting civil society for many\r\nyears now. And while in many cases, the “advanced” appellation is debatable, “persistent” is not. Since 2015, EFF\r\nhas tracked the cyber-mercenaries known as Dark Caracal, a threat actor who has carried out digital surveillance\r\ncampaigns on behalf of government interests in Kazakhstan and Lebanon.\r\nRecent activity seems to indicate that this actor is active once again. In November of 2019 the group Malware\r\nHunter Team discovered new samples of the Bandook malware which is associated with Dark Caracal. This time\r\nwith legitimate signing certificates for Windows (issued by the “Certum” certificate authority,) which would allow\r\nthem to be run without a warning to the user on any Windows computer. Tipped off by the emergence of new\r\nvariants of the Bandook Trojan, researchers at Checkpoint found three new variants of Bandook: some expanded\r\n(120 commands), some slimmed down (11 commands), and all signed with Certum certificates. The Checkpoint\r\nresearchers also discovered several new command and control domains in use by Dark Caracal.\r\nIn previous campaigns, this actor has displayed impressively lax operational security, enabling researchers to\r\ndownload terabytes of data from their command and control servers. The latest campaign exhibits a somewhat\r\nhigher level of opsec. Checkpoint reports that targets included “Government, financial, energy, food industry,\r\nhealthcare, education, IT and legal institutions” in the following countries: Singapore, Cyprus, Chile, Italy, USA,\r\nTurkey, Switzerland, Indonesia and Germany.\r\nRecommended Mitigations against Dark Caracal\r\nThe Dark Caracal threat actors still seem to primarily use phishing and Office-based macros as their primary\r\nmethod of infection. Because of this, the best step one can take to protect against Dark Caracal is to disable Office\r\nmacros on your personal devices or that of your entire organization. This is additionally a good basic security\r\nhygiene practice. Standard methods to avoid phishing attacks are also good practice. Readers may also take some\r\ncomfort in the fact that Bandook is currently detected by many, if not most, antivirus products.\r\nThe Bandook Trojan\r\nOne of the primary signatures of the Dark Caracal threat group is their use of the Bandook Trojan, which is\r\ndescribed in the Checkpoint report as follows:\r\nThe final payload in this infection chain is a variant of an old full-featured RAT named Bandook.\r\nWritten in both Delphi and C++, Bandook has a long history, starting in 2007 as a commercially\r\navailable RAT that was developed by a Lebanese individual nicknamed PrinceAli.\r\nhttps://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot\r\nPage 1 of 4\n\nBandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing\r\ntechnique to create a new instance of an Internet Explorer process and inject a malicious payload into it.\r\nThe payload contacts the C\u0026C server, sends basic information about the infected machine, and waits\r\nfor additional commands from the server.\r\nThese findings are consistent with what EFF previously published in our Dark Caracal and Operation Manul\r\nreports.\r\nWe were surprised to see the Checkpoint report when it was released on Thanksgiving as we had been tracking\r\nDark Caracal again as well. Building on Checkpoint’s work, we are publishing additional indicators of\r\ncompromise we have observed that may be of interest to other security professionals and malware researchers.\r\nAdditional Dark Caracal Indicators of Compromise\r\nHashes:\r\n09187675a604ffe69388014f07dde2ee0a58a9f7b060bff064ce00354fedc091\r\n0c5735e066bfbc774906942e97a6ffc95f36f88b9960c4dd6555247b3dd2cdb0\r\n2106e0eabc23d44bd08332cf0c34f69df36b9e84a360722a7fd4d62c325531d1\r\n211f1638041aa08762a90c15b1aff699d47e4da21429c22b56f8a3103d13b496\r\n27306de878f7ab58462b6b9436474e85c3935a5b285afec93f4b59a62c30dd32\r\n2b54f945f5e3d226d3a09cdfcc41e311b039ceadf277310697672c8c706aa912\r\n2f9ba191689e69e9a4f79b96d66c0fee9626fbd0ea11e89c0129e5d13afe6d76\r\n3c8ad8264d7ce9c681c633265b531abb4cf9b64c2e1a3befadc64e66e1b5632e\r\n4175c7f8854e2152462058a3e2f23a9026477f9b8001923e2c59b195949070f5\r\n4f2ebe6f4fc345041643d5d7045886956fe121272fa70af08498a27135a72d97\r\n520ead3a863d4ea139f93bbad4d149a37ca766b38af0567f1f31a9205613b824\r\n614d0bece286af47db5a9f17d24778b16e30fea10ab8d4c7f0739246b83d8366\r\n6e79e2a567013cbeea1d13f3e6c883e56e66ab36de88802eb1313736c25293ec\r\n76f9615ce6ce6d20a9404b29649a4987a315c6b6fc703fa289da0aae37d39bce\r\na5b1ba27edee6953fa30771090387a5aca3e4d4541973df9b2e2b535444db5c3\r\nb8c1cb11108d62611ac8035701eea8bb90b55faff2d0a28c23e2dcced176a52f\r\nc4cba54bf57b3bc3bc8f1d71a7d78fcf25eae18d1d96ba4a4fa5eb8d6fb05e08\r\nc852ebf981daa4d17216a569425b6128f5f7f56d746d4aa03ffecef53fb2829b\r\nc8cbded2f6a5792c147a3362a4deb01a54a13fe9b5636367f2bb39084ed6e13a\r\ncdf6413b56618cd641f93c2ca7fa000c486f7f2455daa3e25459e0d1e72ecf45\r\nd50696eec5288f29994aa68b8f38c920f388a934f23855fb516fa94223c29ecc\r\nd6de67f2187d2fad2d88ca3561aa9f9bf3cecf2e303916df0fc892ed97d94ff5\r\nf08cbc1c5bca190bc34f7da3ad022d915758f5eb2c0902b13c44d50129763cf1\r\nf3b54507a82a17f4056baaa3cb24972a2dfa439fa9b04493db100edb191a239f\r\nfe18568eb574d8fa6c7d9bd7d8afa60d39aae0e582aff17c5986f9bab326ec8a\r\nUnpacked bandook sample:\r\nfabce973a9edff2c62ccb6fdd5b14c422bc215284f952f6b31cc2c7d98856d57\r\nhttps://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot\r\nPage 2 of 4\n\nBandook user-agent:\r\nUser-Agent: Mozilla/4.0 (compatible; ALI)\r\nUser-Agent: Uploador\r\nCommand and Control URLs:\r\nhxxp://blancomed.com/newnjususus1/post.php\r\nhxxp://blancomed.com/newnjususus2/post.php\r\nhxxp://blancomed.com/newnjususus4/post.php\r\nhxxp://blancomed.com/newnjususus5/post.php\r\nhxxp://blombic.com/OSPSPSPS2222292929nnnxnxnxnxnx/add.php\r\nhxxp://blombic.com/uioncby281229hcbc2728hsha11kjddhwqqqqc/add.php\r\nhxxp://www.opwalls.com/tunnel2015/add.php\r\nhxxps://blancomed.com/newnjususus1/post.php\r\nhxxps://blancomed.com/newnjususus2/post.php\r\nhxxps://blancomed.com/newnjususus3/post.php\r\nhxxps://blancomed.com/newnjususus4/post.php\r\nhxxps://blancomed.com/newnjususus5/post.php\r\nhxxps://pronews.icu/aqecva/\r\nhxxps://pronews.icu/aqecva/add.php\r\nhxxps://pronews.icu/raxpafsd/images\r\nhxxps://pronews.icu/phpmyadmin\r\nhxxps://pronews.icu/cgi-bin\r\nhxxp://wbtogm.com\r\n/hc1/\r\n/hc2/\r\n/hc3/\r\n/hc4/\r\n/hc5/\r\n/hc1/images/\r\n/hc1/temp/\r\n/hc1/vk/\r\n/hc1/vk/19160/\r\n/hc1/index.php\r\n/hc1/search.php\r\n/hc1/view.php\r\n/hc1/tv.php\r\n/hc1/test.php\r\n/hc1/log.php\r\n/hc1/get.php\r\n/hc1/config.php\r\n/hc1/cm.php\r\n/hc1/auth.php\r\nhttps://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot\r\nPage 3 of 4\n\n/hc1/chrome.php\r\n/hc1/panel.php\r\n/hc1/validate.php\r\n/hc1/pws.php\r\n/hc1/vk.php\r\n/91SD8391AC/cap.abc\r\n/91SD8391AC/pws.abc\r\n/91SD8391AC/extra.abc\r\n/91SD8391AC/tv.abc\r\n/hc4/get.php?action=check\r\n/91SD8391AC/ammyy.abc\r\n/91SD8391AC/89911111111012\r\nCommand and Control Domains:\r\nmegadeb[.]com\r\nblancomed[.]com\r\nopwalls[.]com\r\nblombic[.]com\r\nwbtogm[.]com\r\nSource: https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot\r\nhttps://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot"
	],
	"report_names": [
		"dark-caracal-you-missed-spot"
	],
	"threat_actors": [
		{
			"id": "d4347dfe-2489-4fe4-8097-f4be33aadac2",
			"created_at": "2022-10-25T16:07:23.973289Z",
			"updated_at": "2026-04-10T02:00:04.815324Z",
			"deleted_at": null,
			"main_name": "Operation Manul",
			"aliases": [],
			"source_name": "ETDA:Operation Manul",
			"tools": [
				"Bandok",
				"Bandook",
				"JRat",
				"Jacksbot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "8de10e16-817c-4907-bd98-b64cf4a3e77b",
			"created_at": "2022-10-25T15:50:23.552766Z",
			"updated_at": "2026-04-10T02:00:05.362919Z",
			"deleted_at": null,
			"main_name": "Dark Caracal",
			"aliases": [
				"Dark Caracal"
			],
			"source_name": "MITRE:Dark Caracal",
			"tools": [
				"FinFisher",
				"CrossRAT",
				"Bandook"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4a62c0be-1583-4d82-8f91-46e3a1c114e6",
			"created_at": "2023-01-06T13:46:38.73639Z",
			"updated_at": "2026-04-10T02:00:03.083265Z",
			"deleted_at": null,
			"main_name": "Dark Caracal",
			"aliases": [
				"G0070"
			],
			"source_name": "MISPGALAXY:Dark Caracal",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "af704c54-a580-4c29-95f2-82db06fbb6f9",
			"created_at": "2022-10-25T16:07:23.525064Z",
			"updated_at": "2026-04-10T02:00:04.64019Z",
			"deleted_at": null,
			"main_name": "Dark Caracal",
			"aliases": [
				"ATK 27",
				"G0070",
				"Operation Dark Caracal",
				"TAG-CT3"
			],
			"source_name": "ETDA:Dark Caracal",
			"tools": [
				"Bandok",
				"Bandook",
				"CrossRAT",
				"FinFisher",
				"FinFisher RAT",
				"FinSpy",
				"Pallas",
				"Trupto"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439040,
	"ts_updated_at": 1775792056,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99af637aa402063462556560e1745ba743af8711.pdf",
		"text": "https://archive.orkl.eu/99af637aa402063462556560e1745ba743af8711.txt",
		"img": "https://archive.orkl.eu/99af637aa402063462556560e1745ba743af8711.jpg"
	}
}