{
	"id": "593c2dec-6fdf-4e8f-aefd-74eb50e3eeb6",
	"created_at": "2026-04-06T00:17:30.751835Z",
	"updated_at": "2026-04-10T03:21:11.973188Z",
	"deleted_at": null,
	"sha1_hash": "9aad8c11473e303fc010374309523c4f7189c253",
	"title": "Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC - Arctic Wolf",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1092224,
	"plain_text": "Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC\r\n- Arctic Wolf\r\nBy Arctic Wolf Labs\r\nPublished: 2025-07-19 · Archived: 2026-04-05 12:49:41 UTC\r\nSummary\r\nA financially-motivated threat actor, active since early 2021, has been targeting Mexican organizations with\r\ncustom packaged installers that deliver a modified version of AllaKore RAT. Arctic Wolf® documented 2022 and\r\n2023 campaign samples from this unidentified threat actor in a previous report. We are now referring to this group\r\nas Greedy Sponge, due to its financial focus and prior use of a popular “SpongeBob” meme on its C2.\r\nThere have been a number of notable changes since we last reported on this threat group. The AllaKore RAT\r\npayload has been heavily modified to enable the threat actors to send select banking credentials and unique\r\nauthentication information back to their command-and-control (C2) server, for the purpose of conducting financial\r\nfraud.\r\nAllaKore has also recently been seen delivering a secondary infection of SystemBC, a multi-platform malware\r\nproxy tool written in C that can be used to download and execute additional malware.\r\nSince the middle of 2024, the installation and post-exploitation processes the group uses were updated to include\r\nbetter geofencing and more potent secondary infections. Historically, geofencing to the Mexican region took place\r\nin the first stage, via a .NET downloader included in the trojanized Microsoft software installer (MSI) file. This\r\nhas now been moved server-side to restrict access to the final payload, thus hampering detection efforts by\r\ndefenders.\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 1 of 17\n\nFigure 1: Previous and current execution chains.\r\nWeaponization and Technical Overview\r\nWeapons\r\nMalicious MSI installer, .NET downloader, Customized AllaKore RAT,\r\nSystemBC.\r\nAttack Vector Spear-phishing, Drive-by\r\nNetwork\r\nInfrastructure\r\nServers hosted on Hostwinds\r\nTargets Medium to large Mexican companies\r\nVictimology\r\nThe Greedy Sponge threat group specializes in targeting Mexican organizations. All phishing sites uncovered\r\nduring the course of this investigation emulate Mexican business sites, and delivery filenames are in Spanish.\r\nDomain registration also points to Mexico as the organization’s location, or base of operations. Previous\r\ncampaigns specifically check Mexico as the IP point of origin through the .NET loader, while new campaigns\r\nperform the same check server-side on the delivery infrastructure.\r\nTargeting continues to be indifferent to industry, as long as there’s money to be stolen from the targeted\r\ncompanies. Organizations identified in this and prior campaigns are spread across a wide range of sectors,\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 2 of 17\n\nincluding Retail, Agriculture, Public Sector, Entertainment, Manufacturing, Transportation, Commercial Services,\r\nCapital Goods, and Banking.\r\nTechnical Analysis\r\nAttack Vector\r\nIn this new campaign, zip files are delivered to the target containing a legitimate Chrome proxy executable and a\r\ncompressed MSI file that has been trojanized to download Greedy Sponge’s custom AllaKore remote access trojan\r\n(RAT). A secondary infection of SystemBC is optionally delivered by the actor.\r\nIn addition, lures sent to victims previously linking to Mexico’s Institute of Social Security – the Instituto\r\nMexicano del Seguro Social (IMSS) – have been dropped in favor of a more generic policy update naming\r\nschema, InstalarActualiza_Policy.msi, meaning “Install update policy” in the Spanish language.\r\nAlthough Mexican banks have been specifically targeted by this threat actor in the past, any company based in\r\nMexico runs the risk of being hit by this trojan, as their tactics evolve over time.\r\nDelivery\r\nMD5 35932f5856dbf8ba51e048b3b2bb2d7b\r\nSHA-256 c3e7089e47e5c9fc896214bc44d35608854cd5fa70ae5c19aadb0748c6b353d6\r\nFile Name Actualiza_Policy_v01.zip\r\nFile Size 2388582\r\nThis file has the following structure:\r\nActualiza_Policy_v01.zip\r\n__\r\nInstalacion_ActualizaPolicy.zip\r\nInstalarActualiza_Policy.msi\r\n“__” is a legitimate version of chrome_proxy.exe, a binary proxy to Chrome, distributed by Google.\r\nMD5 63a5bc24837a392bc56de93b28c7d011\r\nSHA-256 c9319b60fdde49e0b7cc4cdad7525643456420c4532a6cc2ae38672842eb48ed\r\nFile Name __, chrome_proxy.exe\r\nFile Size 1039976\r\nInstalarActualiza_Policy.msi is built with Advanced Installer 20.6 build 7c7b154c. This file deploys a .NET\r\ndownloader and a PowerShell script for cleanup. The .NET file is named Gadget.exe and is included in the\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 3 of 17\n\nAI_ChainedPackageFile. The internal name of the file is Tweaker.exe and it is responsible for downloading and\r\ndeploying the custom AllaKore RAT.\r\nMD5 42300099a726353abfddbfdd5773de83\r\nSHA-256 a83f218d9dbb05c1808a71c75f3535551b67d41da6bb027ac0972597a1fc49fe\r\nFile Name Gadget.exe, Tweaker.exe\r\nFile Size 75264\r\nCreated 2084-06-18 18:54:16 UTC*\r\n* 2084-06-18 is not a typo; it denotes a future compilation time.\r\nFigure 2: .NET downloader base64 encoded requests.\r\nGadget.exe downloads the zip file metsys.zip from hxxps://manzisuape[.]com/amw/. It is then decompressed into\r\nkgm.exe, which is the AllaKore RAT payload.\r\nFile_deleter.ps1 remains from previous campaigns to clean up the %APPDATA% directory used for downloading\r\nand deploying the RAT.\r\nWhat is AllaKore RAT?\r\nAllaKore RAT is a simple, open-source remote access tool written in Delphi. First observed in 2015, Arctic Wolf\r\nLabs researchers* observed an attack in early 2024 targeting companies in Mexico that had more than $100M in\r\nannual revenue, including banks and cryptocurrency trading platforms. An AllaKore variant known as AllaSenha\r\nwas subsequently used in May 2024 to target banking entities across Brazil.\r\nAllaKore is a potent spying and exfiltration tool. It has the capability to keylog, screenshot, upload/download\r\nfiles, and even take remote control of victim’s device.\r\n*Arctic Wolf acquired Cylance® from BlackBerry® in February 2025. The BlackBerry Threat Research and\r\nIntelligence team is now part of Arctic Wolf Labs.\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 4 of 17\n\nMD5 ac2fa680544b1b1e452753b78b460a59\r\nSHA-256 4f08865b1bdcc0e27e34bbd722279de661c92ce9aafb9fced1b5de1275887486\r\nFile Name kgm.exe, chancla.exe, ChromeUpd.exe\r\nFile Size 8671744\r\nCreated 2024-11-04 13:43:31\r\nOriginal Name ChromeUpd.exe\r\nInternal Name Chrome Update Set\r\nFile Version 1.1.0.0\r\nSamples with the same internal name “Chrome Update Set” go back to May 2024 and utilize the same delivery\r\nand C2 infrastructure, though updates to the secondary infection endpoints from license.txt to z2.txt and z3.txt\r\nhave occurred.\r\nAfter running, AllaKore maintains persistence in the system with an updated version downloaded at the URI\r\n/z1.txt and placed in the device’s Startup folder.\r\nFigure 3: Disassembly of AllaKore’s update and persistence mechanism.\r\nSecondary infections are downloaded to %\\Appdata\\Roaming\\file.exe and immediately executed.\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 5 of 17\n\nFigure 4: Disassembly of AllaKore’s secondary infection download.\r\nAt the time of writing, the trenipono[.]com endpoints are as follows:\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 6 of 17\n\nz1.txt\r\nversion_190_hxxps://manzisuape[.]com/ao/190[.]exe\r\nz2.txt\r\nhxxp://142.11.199[.]35/pnp.exe\r\nz3.txt\r\nhxxp://142.11.199[.]35/pnp.exe\r\nSince our previous report, internal custom functions have been expanded, most likely to ease the structured\r\ncopying of information back to the threat actor’s servers. Most are related to updated authentication on target\r\nbanking sites and stealing authentication artifacts such as credentials and tokens.\r\nPnp.exe is a user account control (UAC) bypass utilizing CMSTP compiled off this repo, or a fork. The Microsoft\r\nConnection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection\r\nManager service profiles, but it can be abused by adversaries, who use it to proxy execution of malicious code.\r\nThe code is identical to the repository but sets the service to “Actualizando” (Spanish for “updating”). It delivers\r\nthe same loader that is packaged in the MSI, but instead it is pointed to a malicious SystemBC v2 binary hosted at\r\nhxxps://masamadreartesanal[.]com/tag/ss[.]exe.\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 7 of 17\n\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 8 of 17\n\nFigure 5: CMSTP Bypass structure and secondary infection execution chain.\r\nThis latest addition is a measured increase in capability. Development by this threat actor since 2021 has shown\r\nslow but steady progress, as the group works to improve the delivery and post exploitation process from a simple\r\nzipped open-source RAT, to a highly modified payload and the utilization of red teaming tools.\r\nNetwork Infrastructure\r\nGreedy Sponge’s network infrastructure has maintained hosting through Hostwinds in Dallas, Texas, while current\r\ndomains are limited to those registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, with non-U.S. registrar countries.\r\nDomain Type\r\nglossovers[.]com Phishing\r\nlogisticasmata[.]com Phishing\r\ninmobiliariaarte[.]com Phishing\r\nmx-terrasabvia[.]com Phishing\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 9 of 17\n\nelitesubmissions[.]com Phishing\r\npasaaportes-citas-srre-gob[.]com Phishing\r\narimateas[.]com Phishing\r\ncleanmades[.]com Phishing\r\npachisuave[.]com SystemBC C2\r\nmanzisuape[.]com AllaKore C2\r\ntrenipono[.]com Delivery\r\nmetritono[.]com Delivery\r\nmasamadreartesanal[.]com Delivery\r\nThe .NET downloader uses a unique user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR\r\n1.0.3705;). This user-agent is typically used in .NET downloader samples that download AllaKore RAT and\r\nSystemBC.\r\nIP Addresses\r\nThe following are IP addresses associated with this campaign:\r\n254.133[.]54 – All phishing sites are located on the same Hostwinds-hosted server.\r\n11.199[.]35 – Currently trenipono[.]com, this has been part of the group’s C2 infrastructure since July\r\n2024. This IP has overlap with previously used campaign domains, including chuacheneguer[.]com and\r\nflapawer[.]com.\r\nThe major change to operations here is the secondary infection of SystemBC. All samples identified have used\r\npachisuave[.]com over port 4404. While the .NET loader for this file is delivered from 142.11.199[.]35,\r\nmasamadreartesanal[.]com/tag/ss[.]exe is the endpoint that actually hosts the final payload.\r\nAttribution\r\nGreedy Sponge has been active since at least late 2021. Having spent those four years-plus actively targeting\r\nMexican entities, we would deem this threat actor persistent, but not particularly advanced. The strictly financial\r\nmotivation of this actor coupled with their limited geographic targeting is highly distinctive.\r\nAdditionally, their operational longevity points to probable operational success – meaning they’ve found\r\nsomething that works for them, and they are sticking with it. Greedy Sponge has held the same infrastructure\r\nmodels for the duration of their campaigns. Their infrastructure is hosted in Texas, which is geographically close\r\nto Mexico but also out of the country, limiting the reaches of law enforcement jurisdiction.\r\nGreedy Sponge’s location-based characteristics can be summed up as thus:\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 10 of 17\n\nNetflow data identified RDP access to the C2 from Mexico\r\nGeographically limited targeting to Mexico\r\nDevelopment in the Spanish language\r\nIn-depth knowledge of Mexican economics and government regulatory bodies\r\nThe custom functionality built into the RAT is unique with regards to how data is sent back to their C2. The data is\r\nspecially structured into strings for ingestion server-side. The data sent from the RAT’s client is structured for\r\nserver-side ingestion as unique tokens and credentials. The overly simplification of this credential copying process\r\nstrongly suggests a tiered operation, with hands-on operators stealing data from victims and sending it back to the\r\nC2 to be used in fraudulent banking operations.\r\nProactive Recommendations\r\nAs a financially motivated threat actor, Greedy Sponge has exclusively targeted organizations within Mexico since\r\nthey began their operation in 2021. If your organization is located in Mexico or conducts business operations in\r\nthe country—regardless of industry—it is entirely plausible Greedy Sponge could target your organization in\r\nfuture campaigns.\r\nAlthough we do not have visibility into recent delivery techniques used by Greedy Sponge, the threat actor has\r\nhistorically used phishing emails and drive-by downloads to deliver their custom AllaKore RAT. In both cases,\r\nuser interaction is needed to successfully compromise an organization.\r\nUser education, either through comprehensive security awareness training or simulated phishing exercises, can\r\nhelp employees identify social engineering techniques threat actors use to trick users. Consider using the recent\r\nGreedy Sponge campaign as a case study to demonstrate what a threat actor can do once they have successfully\r\nsocially engineered a user.\r\nAdditionally, ensure users only download software updates from approved business sources and not unknown,\r\nthird-party sources. In at least one case, Greedy Sponge bundled AllaKore RAT with a legitimate binary proxy to\r\nChrome, almost certainly to trick the victim into thinking the malicious file was a Chrome update.\r\nInitial access is just one part of the kill chain. Once Greedy Sponge obtains access, they use a PowerShell script to\r\nhide their tracks. Arctic Wolf Labs is continuously investigating intrusions where PowerShell is used extensively\r\nthroughout all phases of the kill chain. Enabling PowerShell Module Logging, Script Block Logging, and\r\nTranscription Logging can greatly increase your organization’s ability to detect and prevent malicious activity\r\nbefore actions on objectives. Taking these proactive measures can help prevent keylogging and data exfiltration by\r\nthis threat actor.\r\nConclusion\r\nThe financially-motivated threat actor Greedy Sponge has been targeting Mexican entities since 2021. They have\r\nshown consistent development of the tactics, techniques, and procedures (TTPs) used in their operating realm. The\r\nlarge amount of activity found in open-source data sets and seen in Arctic Wolf’s internal telemetry demonstrates a\r\nhighly functional and persistent group.\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 11 of 17\n\nBarring disruption by law enforcement, it’s likely that Greedy Sponge will continue to evolve and remain a threat\r\nto Mexican entities in the coming years.\r\nHow Arctic Wolf Protects its Customers\r\nArctic Wolf is committed to ending cyber risk with its customers, and when active campaigns are identified we\r\nmove quickly to protect our customers.\r\nArctic Wolf Labs has leveraged threat intelligence around Greedy Sponge’s activity to implement new detections\r\nin the Arctic Wolf® Aurora™ Platform to protect customers. As we discover new information, we will enhance\r\nour detections to account for additional IOCs and techniques leveraged by this threat actor.\r\nAppendix\r\nIndicators of Compromise (IOCs)\r\nFile IOCs\r\nSHA-256 Type\r\n20fe630a63dd1741ec4ade9fe05b2e7e57208f776d5e20bbf0a012fea96ad0c0 AllaKore\r\nf76b456cf2af1382325c704bf70b5168d28d30da0f3d0a5207901277e01db395 AllaKore\r\n4bf4bcf1cc45d9e50efbd184aad827e2c81f900a53961cf4fbea90fa31ca7549 AllaKore\r\nfed1c094280d1361e8a9aafdb4c1b3e63e0f2e5bb549d5d737d0a33f2b63b4b8 AllaKore\r\n5d16547900119112c12a755e099bed1fafe1890869df4db297a6a21ec40185b0 AllaKore\r\ne9cd7c4db074c8e7c6b488a724be1cd05c8536dae28674ce3aa48ebb258e3c31 AllaKore\r\n32ef3a0da762bc88afb876537809350a885bbbc3ec59b1838e9e9ccc0a04b081 AllaKore\r\nd8343068669d8fbb52b0af87bd3d4f3579d76192d021b37b6fd236b0973e4a5d AllaKore\r\n53b85d1b7127c365a4ebae5f22ed479cd5d7e9efc716fb9df68ebdd18551834a AllaKore\r\n84b046a4dbfcd9d4b2d62b4bc8faaf4c6395696f1e688f464bc9e0b760885263 AllaKore\r\n50e5cd438024b34ba638e170f6e4595b0361dedb0ea925d06d06f68988468ddf AllaKore\r\n9170503615e4d2cf1d67f0935ded3ce36a984247ae7f9ab406d81ebe1daf3604 ZIP\r\nc3e7089e47e5c9fc896214bc44d35608854cd5fa70ae5c19aadb0748c6b353d6 ZIP\r\n8bf0d693033a761843ae20c7e118c05f851230cb95058f836ffe2b51770f788a .NET Downloader\r\na83f218d9dbb05c1808a71c75f3535551b67d41da6bb027ac0972597a1fc49fe .NET Downloader\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 12 of 17\n\n21614973732d4012889da2e1538b20fd1c0aefdb1d1452d79fd9a1bc06d569da .NET Downloader\r\na8abffa5d7259a94951d96ad3d60e8910927b5d0697f8edece2e295154e00832 .NET Downloader\r\n12557dcf9c9a609521d7a2cc84a7e6fb95a93957aed6bda0f9644e96dfbbc180 .NET Downloader\r\ndcfa26a38a5af8a072104854fba1b7c0aa9ec99875d35dbd623c12932df44969 .NET Downloader\r\nbd299b5e3d7645b10286410f98f6ec79d803ce2b977c61e49f2dc26285823c99 .NET Downloader\r\n681b15a43925e02d7f4f0c9e554e8d73e230931ce6634f49dd5b204afd03d20c .NET Downloader\r\ne9b9cdb713bfea40e13acffbe90faa536df206675819035835ce9218365cd118 .NET Downloader\r\n65fc84ffd9be05720b700292b7dbc0ac8afa7faaadf6fcd4485ce34785ba0932 .NET Downloader\r\n3b0772608844821555bb90e0218972f89f421dad9b1f7bd1918de26a929e998f .NET Downloader\r\nbb3f433799c30a8aad5257abc2df479ecad058f6099fd89fb8e7c278dfe3be45 .NET Downloader\r\n34e347d1c9ce80b4e2b77f2de5aa7b4d98084704896bd169338c6d4b440e16c3 .NET Downloader\r\n5b51d1682cbd40cc6eca23333554ab16b7ed4bbd727712b3a00b07c24e629863 .NET Downloader\r\n544091acb5807aaac32ca4843bb85c4aa7ce0ab0acda296efa1a23fe3c181b7e .NET Downloader\r\n8634988a90e69d8e657f72cf5f599176be5854448e0544abc42eb49b0c245f0c .NET Downloader\r\n79a5ac15d0de66df3dd00a4148aa76dc183ebf47553fbcc5355f4902dc981267 .NET Downloader\r\ndc409e9fa8b8c031c347d9c36f5732ea03e246c29d73e3425e4e8aaa1da6ff7c .NET Downloader\r\nf5adef8c202e62125be49f748ed3b30b34e0fb2c9539c805dd96a75a26c7ddc4 .NET Downloader\r\nc33723a6c0ece4f790396f5fd5133cf384143736e6acd06e1d7642c04757bbae .NET Downloader\r\ne4a6be2fb70603f1545641240680b44e21b5601e8016c0d144711423eef9778e .NET Downloader\r\n0dbaf8970c0620e1b5902fd87c1cd0e72e917c45add84a024338c0481b5e161c CMSTPBypass\r\ne848a0f1900e2f0be9ed1ea8e947ae3bae14e78f3ff81c02d8e5a54353cdbac8 MSI\r\nb9bb43b725a454e826ab64fdd6256af809c60119dab2876d081b3721d226c672 MSI\r\n3729396b11c69c60f9d096ce726f4cc5b4ed2054d89f7d195e998456de7fb229 MSI\r\n73a46441a7135296d1070f5905a5cb6453ea8511a99a3b9c76060069aa7abcef MSI\r\n974c221c75c35d03dd2158d1d1a0a72a7ae85a6f7c1c729977f3676f946758ee MSI\r\nNetwork IOCs\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 13 of 17\n\nDomain Type\r\nglossovers[.]com Phishing\r\nlogisticasmata[.]com Phishing\r\ninmobiliariaarte[.]com Phishing\r\nmx-terrasabvia[.]com Phishing\r\nelitesubmissions[.]com Phishing\r\npasaaportes-citas-srre-gob[.]com Phishing\r\narimateas[.]com Phishing\r\ncleanmades[.]com Phishing\r\ncapitolioeventos[.]com Phishing\r\npachisuave[.]com SystemBC C2\r\nmanzisuape[.]com AllaKore C2\r\nsiperasul[.]com AllaKore C2\r\ncupertujo[.]com AllaKore C2\r\nidaculipa[.]com AllaKore C2\r\nmepunico[.]com AllaKore C2\r\nbarrosuon[.]com AllaKore C2\r\ntlelmeuas[.]com AllaKore C2\r\ntrenipono[.]com Delivery\r\nkalichepa[.]com Delivery\r\nmetritono[.]com Delivery\r\nmasamadreartesanal[.]com Delivery\r\nDetections\r\nYara Rules\r\nrule fin_greedy_sponge_downloader_b64_useragent_string {\r\n meta:\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 14 of 17\n\nauthor = \"The Arctic Wolf Labs team\"\r\n description = \"Locates unique strings to the Greedy Sponge .NET downloaders.\"\r\n date = \"2025-04-09\"\r\n strings:\r\n //b64 unicode of Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;)\r\n $s1 = {54 00 57 00 39 00 36 00 61 00 57 00 78 00 73 00 59 00 53 00 38 00\r\n 30 00 4c 00 6a 00 41 00 67 00 4b 00 47 00 4e 00 76 00 62 00 58 00 42 00\r\n 68 00 64 00 47 00 6c 00 69 00 62 00 47 00 55 00 37 00 49 00 45 00 31 00\r\n 54 00 53 00 55 00 55 00 67 00 4e 00 69 00 34 00 77 00 4f 00 79 00 42 00\r\n 58 00 61 00 57 00 35 00 6b 00 62 00 33 00 64 00 7a 00 49 00 45 00 35 00\r\n 55 00 49 00 44 00 55 00 75 00 4d 00 6a 00 73 00 67 00 4c 00 6b 00 35 00\r\n 46 00 56 00 43 00 42 00 44 00 54 00 46 00 49 00 67 00 4d 00 53 00 34 00\r\n 77 00 4c 00 6a 00 4d 00 33 00 4d 00 44 00 55 00 37 00 4b 00 51 00 3d 00 3d 00}\r\n condition:\r\n uint16(0) == 0x5A4D and all of them\r\n}\r\nrule fin_greedy_sponge_custom_allakore_rat {\r\n meta:\r\n author = \" The Arctic Wolf Labs team\"\r\n description = \"Find custom function names and prefixes in Greedy Sponge allakore variant.\"\r\n date = \"2025-04-09\"\r\n strings:\r\n $cnc1 = \"{ESCAPAR}\" wide\r\n $cnc2 = \"{MENSAJE\" wide\r\n $cnc3 = \"{DESTRABA\" wide\r\n $cnc4 = \"{TOKEN\" wide\r\n $cnc5 = \"{TRABAR\" wide\r\n $cnc6 = \"{CLIPBOARD}\" wide\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n 3 of ($cnc*) and\r\n filesize \u003e 5MB and filesize \u003c 12MB\r\n}\r\nDetailed MITRE ATT\u0026CK® Mapping\r\nTactic Technique Sub-Technique Name / Context\r\nReconnaissance\r\nT1591.001 – Gather Victim Org\r\nInformation: Determine Physical\r\nLocation\r\nAttacker restricts the malware execution to systems\r\nphysically located in Mexico.\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 15 of 17\n\nDefense Evasion\r\nT1027.015 – Obfuscated Files or\r\nInformation: Compression\r\nZip files are delivered containing Greedy Sponge’s\r\ncustom AllaKore RAT.\r\nDefense Evasion\r\nT1218.007 – System Binary\r\nProxy Execution: Msiexec\r\nA MSI file has been trojanized to download Greedy\r\nSponge’s custom AllaKore RAT.\r\nExecution\r\nT1204.002 – User Execution:\r\nMalicious File\r\nGreedy Sponge has gained execution through\r\nvictims opening malicious files embedded in zip\r\nfile.\r\nCommand and\r\nControl\r\nT1105 – Ingress Tool Transfer\r\nAttacker downloads Greedy Sponge’s custom\r\nAllaKore RAT.\r\nExecution\r\nT1059.005 – Command and\r\nScripting Interpreter: PowerShell\r\nInstalarActualiza_Policy.msi deploys a PowerShell\r\nscript for cleanup of the %appdata% directory.\r\nDefense Evasion\r\nT1070.004 – Indicator Removal:\r\nFile Deletion\r\nInstalarActualiza_Policy.msi deploys a PowerShell\r\nscript to clean up the %appdata% directory used for\r\ndownloading and deploying the RAT.\r\nCommand and\r\nControl\r\nT1132.001 – Data Encoding:\r\nStandard Encoding\r\n.NET downloader has encoded requests with\r\nBase64\r\nCommand and\r\nControl\r\nT1071.001 – Application Layer\r\nProtocol: Web Protocols\r\nAttacker communicates over HTTPs to download\r\nthe RAT.\r\nDefense Evasion\r\nT1140 – Deobfuscate/Decode\r\nFiles or Information\r\nmetsus.zip is decompressed into kgm.exe, which is\r\nthe AllaKore RAT.\r\nCollection\r\nT1056.001 Input Capture:\r\nKeylogging\r\nAllaKore RAT has the capability to keylog.\r\nCollection\r\nT1113 Screen Capture\r\nCollection\r\nAllaKore RAT has the capability to take\r\nscreenshots.\r\nPersistence\r\nT1547.001 – Boot or Logon\r\nAutostart Execution: Registry\r\nRun Keys / Startup Folder\r\nAllakore RAT maintains persistence in the system\r\nusing the startup folder.\r\nExfiltration\r\nT1041 – Exfiltration Over C2\r\nChannel\r\nAttacker copies collected information back to the\r\nthreat actor’s servers.\r\nCredential\r\nAccess\r\nT1555 Credentials from\r\nPassword Stores\r\nAttacker has collected information about\r\nauthentication on target banking sites, and steals\r\nauthentication artifacts such as credentials and\r\ntokens.\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 16 of 17\n\nPrivilege\r\nEscalation\r\nT1548.002 Abuse Elevation\r\nControl Mechanism: Bypass User\r\nAccount Control\r\nPnp.exe is a user account control (UAC) bypass\r\nutilizing CMSTP compiled off this repo, or a fork.\r\nDefense Evasion\r\nT1218.003 System Binary Proxy\r\nExecution: CMSTP\r\nPnp.exe uses CMSTP, compiled from this repo or a\r\nfork, to bypass UAC.\r\nAbout Arctic Wolf Labs\r\nArctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who\r\nexplore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and\r\nrefine advanced threat detection models with artificial intelligence and machine learning, and drive continuous\r\nimprovement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.\r\nArctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security\r\ncommunity at large.\r\nSource: https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nhttps://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/\r\nPage 17 of 17\n\n https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/  \nFigure 4: Disassembly of AllaKore’s secondary infection download.\nAt the time of writing, the trenipono[.]com endpoints are as follows:\n   Page 6 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/"
	],
	"report_names": [
		"greedy-sponge-targets-mexico-with-allakore-rat-and-systembc"
	],
	"threat_actors": [],
	"ts_created_at": 1775434650,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9aad8c11473e303fc010374309523c4f7189c253.pdf",
		"text": "https://archive.orkl.eu/9aad8c11473e303fc010374309523c4f7189c253.txt",
		"img": "https://archive.orkl.eu/9aad8c11473e303fc010374309523c4f7189c253.jpg"
	}
}