{ "id": "2e90cbc5-d3b2-49d5-b736-c40575628f11", "created_at": "2026-04-06T00:11:25.775032Z", "updated_at": "2026-04-10T03:34:16.028849Z", "deleted_at": null, "sha1_hash": "a29ecfc9a01ac03e75296566ac5f8b39abf910c8", "title": "Uncle Sow: Dark Caracal in Latin America", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1643342, "plain_text": "Uncle Sow: Dark Caracal in Latin America\r\nBy Cooper Quintin\r\nPublished: 2023-02-10 · Archived: 2026-04-05 20:30:54 UTC\r\nIn 2018, EFF along with researchers from Lookout Security published a report describing the Advanced Persistent\r\nThreat (APT) we dubbed \"Dark Caracal.\" Now we have uncovered a new Dark Caracal campaign operating since\r\nMarch of 2022, with hundreds of infections across more than a dozen countries. In this report we will present\r\nevidence that the cyber mercenary group Dark Caracal is still active and continues to be focused on Latin\r\nAmerica, as was reported last year. We have discovered that Dark Caracal, using the Bandook spyware, is\r\ncurrently infecting over 700 computers in Central and South America, primarily in The Dominican Republic and\r\nVenezuela. \r\nIn our original 2018 report, we described a campaign targeting thousands of Lebanese citizens with several\r\ndifferent malware families, including a brand new mobile remote access trojan we named Pallas and a Windows\r\nremote access trojan called Bandook. Through our research we were able to shut down the malware campaign and\r\nnotify a number of the victims. Our Operation Manul report established that the actors behind the campaign were\r\nworking with the governments of Lebanon and Kazakhstan. The variety of targets and the apparent involvement of\r\nmultiple governments throughout the campaigns lead us to believe that Dark Caracal is a cyber-mercenary or\r\nhack-for-hire group. \r\nSince our original Dark Caracal report, there have been multiple reports on their continued activities. Checkpoint\r\nResearch wrote about a campaign in 2020 and we have continued to follow the activities of Dark Caracal with our\r\nmost recent report, also in 2020.  Most recently, ESET wrote about Dark Caracal activities in Latin America in\r\ntheir report Bandidos at Large.\r\nDark Caracal is far from the only malware group currently targeting Latin America. The Quantum malware group\r\ntargeted the Dominican Republic’s Ministry of Agriculture in 2022. The Dominican Republic is also a reported\r\ncustomer of NSO group.\r\nGiven Dark Caracal’s history of working with national governments — such as Kazakhstan and Lebanon — on\r\npolitically motivated campaigns, it is possible that the new campaign described below is also at the behest of a\r\ngovernment actor, but without more insight into who the infected computers belong to, we cannot draw any\r\nconclusions as to the motivation of these attacks.\r\nRegardless, we call on lawmakers and regulators in South and Central America to be vigilant against Dark\r\nCaracal's spyware since it, and other spyware like it, has been used to commit gross human rights violations. Time\r\nand again, nation-states and cyber-mercenaries have used spyware to target activists, human rights defenders, and\r\njournalists whose actual work is to uncover governments' wrongdoing, speak truth to power and hold governments\r\naccountable. Such targeting has resulted in a growing list of extrajudicial killings of journalists and human rights\r\ndefenders.\r\nhttps://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america\r\nPage 1 of 9\n\nGovernments should consider calling for a moratorium on the governmental use of these malware technologies,\r\nsupport computer security research, and  human rights  for all, including transparency, accountability and redress\r\nfor victims.\r\nGovernments must recognize that government hostility to device security is dangerous for their people. If one\r\ngovernment can use malware against civilians under a rival government there is nothing stopping the rival\r\ngovernment from doing the same. Governments should be focusing on improving computer security and\r\nprotecting their citizens rights to freedom of expression. \r\nWe hope this report will add to a body of work exposing cyber mercenaries and convince policymakers that cyber\r\nmercenaries and nation-state hacking are truly a global threat to human rights and civil society.\r\nA new campaign appears \r\nRecently we discovered a new version of the Bandook malware, which has been updated to have 148 unique\r\ncommands it can send the infected computer, far more than the 120 available in previous samples. This sample\r\nand related samples seem to be part of a campaign that began in March 2022, utilizing a new command and\r\ncontrol server (a remote computer which issues orders to the infected computers and receives data stolen from the\r\ninfected computers) at the domain deapproved[.]ru .\r\nIn the “Bandidos at Large” report, ESET researchers detailed a mechanism within Bandook for downloading\r\nWindows DLLs (software libraries for Windows) from a domain secondary to the main command and control\r\nserver to gain additional functionality. On analyzing the samples we obtained, we found that in this case the\r\nmechanism for downloading additional DLLs pointed to the domain unclesow[.]com . However, upon\r\ninvestigating, we realized that the unclesow.com domain had not yet been registered. We figured that this domain\r\ncould provide information on Dark Caracal’s activities, so we registered it and set up a sinkhole (a server which\r\nhosts a domain that previously belonged to a malware campaign to protect infected computers and collect\r\ninformation.)\r\nUnclesow[.]com is currently hosted by EFF. Since registering this domain, we have been collecting aggregate\r\ninformation on the victims of this malware campaign. Based on daily traffic logs, there appear to be between 600\r\nand 800 infected machines at any time, mostly across Central and South America. Since every Bandook infection\r\nconnects to the secondary domain multiple times per day, we are confident that we are seeing all infections for this\r\ncurrent campaign. Because of our concern for the privacy of the victims of this malware campaign we have\r\nconfigured the server to delete logs after four weeks and collect the bare minimum of necessary information. \r\nThe same day that we set up DNS entries for unclesow[.]com, several other domains that had been previously\r\nregistered had their DNS suddenly pointed at the same server that hosted unclesow. There were 6 domains pointed\r\nautomatically at our server:\r\nsetsizee[.]com\r\nseconsave[.]com\r\nscanlostt[.]com\r\nsanesity[.]biz\r\nhttps://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america\r\nPage 2 of 9\n\nEmail-securlink[.]com\r\ngoadaaddy[.]com\r\nBased on the timing and apparent phishing-related nature of these domains, we suspect this was an automatic\r\nprocess, possibly set up by the same people running the Dark Caracal campaign. A few days later, several of the\r\ndomains were pointed at a new IP address not under our control. However, three of the domains (seconsave[.]com\r\nscanlostt[.]com and sensity[.]biz) still point to our sinkhole server. We were able to identify several other related\r\ndomains which were hosted on other servers at the same time as these domains (when they were not pointing to\r\nour sinkhole.)\r\nThe connection of these domains to the current Dark Caracal campaign is unclear. They may be for a different\r\ncampaign or another purpose The tactics and tools and procedures used don’t match up, with the above domains\r\nbeing hosted on DigitalOcean registered with NameCheap and not mentioned in the Bandook samples, whereas\r\nthe domains mentioned in the Bandook samples are hosted with the bulletproof hosting provider OvO [ovo.sc],\r\nand registered with a company called 1984 [1984.is]. Additionally, we observed no interesting traffic or traffic\r\nindicative of a Bandook infection to any of the domains pointed at our sinkhole other than unclesow[.]com. The\r\nonly connection to this campaign for these domains is the fact that they were pointed at our sinkhole automatically\r\nwhen we set it up. For now it remains a mystery. \r\nSince we registered the unclesow[.]com domain, the attackers have changed the command and control domain\r\ntwice, first to cudenpower.co and then to bomes[.]ru. However, in both cases and still to this day, they have not\r\nchanged the secondary infection domain from unclesow[.]com, thus our sinkhole continues to function even for\r\nnew samples of malware. It is unclear whether the malware operators realize that their secondary domain is\r\ncontrolled by us at this time. \r\nBandook Continues Evolving\r\nThe versions of Bandook this campaign uses appear to be newer than the ones used in the last campaigns reported\r\non by ESET. The first stage of the malware has switched from using GOST for encryption of the payload to using\r\nDES for encryption of its second stage payload. The key for decryption is derived from a passphrase by hashing it\r\nwith the  RIPEMD-128 algorithm. \r\nAdditionally the malware contains 148 possible commands it can send the infected computer from the command\r\nand control server instead of the previous 132 in the samples analyzed by ESET. The commands include\r\ncapabilities such as: turning on the webcam, adding or removing files from the computer, taking control of the\r\nmouse, recording the screen, starting a remote desktop session, and downloading other libraries for additional\r\nfunctionality (see appendix for more.) \r\nThese changes indicate a deep nexus to the Dark Caracal group as the source code for Bandook is not public and\r\nthe malware is not for sale as far as we know. \r\nAt the time of this report, unpacked versions of malware were detected by 41 out of 70 antivirus products in\r\nVirusTotal whereas a representative sample of the packed malware was detected by 35 out of 71 antivirus\r\nproducts. \r\nhttps://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america\r\nPage 3 of 9\n\nThe command and control servers are more locked-down than we have seen in the past, with the only open\r\nservices being SSH and the command and control service listening on port 2222. There is no web administration\r\ninterface as has been seen in the past. \r\nVictimology \r\nFrom connections to our sinkhole we have observed victims in several Central and South American countries.\r\nApproximately 75% of infected computers are located in The Dominican Republic and 20% in Venezuela. \r\nA map of Bandook infections based on Shodan Data.\r\nBecause the infected computers connect to the sinkhole server and make an http GET request for the path\r\n` /flras/get.php?huln=nevi` approximately every three hours we can reliably estimate the number of infected\r\nmachines. At its peak we suspect more than 800 computers were infected in this malware campaign. However, this\r\nnumber may be lower if some machines are changing their IP addresses in the middle of the day due to moving to\r\na new network or a dynamic IP address changing. Since all connections initiated by Bandook use a standard user\r\nagent (see Appendix) we do not have a way to keep track of individual machines when they change IP addresses. \r\nBecause Bandook malware samples have only ever been observed for Windows, we assume that the infected\r\nmachines are all Windows computers.  According to Shodan data, many of the IP addresses belong to commodity\r\nrouters on consumer ISP networks. It is our assumption that those routers have dynamic IP addresses that\r\nfrequently change, thus increasing the number of unique IPs connecting to our sinkhole. \r\nInfections drop off on Saturdays and especially Sundays, leading us to believe that most infected machines are\r\nlocated at places of business. This hypothesis is also supported by the number of connections from infected\r\nmachines dropping on major public holidays such as Christmas Eve, Christmas, and New Year’s Day. \r\nhttps://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america\r\nPage 4 of 9\n\nNumber of infected computers connecting to our sinkhole per day\r\nThough we haven’t been able to contact any of the victims of this current campaign, their location opens the\r\npossibility that it is a continuation of the campaign outlined in the Bandidos at Large Report. Because of Dark\r\nCaracal’s history of working on behalf of governments, we can’t discount that possibility here either, though the\r\nclient’s identity remains a mystery for now. \r\nThanks to ESET, Martjin Grooten, Jeremy Kennely, Bill Marczak, and VirusTotal, for assistance with this\r\nresearch. \r\nAppendix - Indicators of Compromise\r\nCommand and Control domains:\r\ndeapproved[.]ru\r\ncudenpower[.]co\r\nbomes[.]ru\r\ncumumberpro[.]org\r\nunclesow[.]com - SINKHOLED\r\nPossibly Related Domains\r\nsetsizee[.]com\r\nseconsave[.]com\r\nscanlostt[.]com\r\nsanesity[.]biz\r\nEmail-securlink[.]com\r\nBlackshok[.]com\r\nScannost[.]biz\r\nsedsource[.]com\r\nsnappcost[.]com\r\nhttps://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america\r\nPage 5 of 9\n\nscicuredsit[.]com\r\nsecredserv[.]com\r\nsavesomme[.]com\r\nsecursnd[.]com\r\nServersend[.]biz\r\nSurfarr[.]com\r\nsubnettr[.]com\r\nnertsecure[.]com\r\nsendgriide[.]com\r\nsso-siigninn[.]com\r\nBandook malware indicators\r\nUser agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/2010010146b Firefox/55.0\r\nPath connected to on sinkhole: /flras/get.php?huln=nevi\r\nSelection of Bandook Commands\r\nCaptureScreen\r\nClearCred\r\nGetCamlist\r\nSendCam\r\nStopCam\r\nUninstall\r\nCompressArchive\r\nGenerateReports\r\nGetWifi\r\nStartShell\r\nGetSound\r\nSplitMyFile\r\nGetAutoFTP\r\nSendStartup\r\ngetkey\r\nSendMTPList\r\nSendMTPList2\r\nGrabFileFromDevice\r\nPutFileOnDevice\r\nDeleteFileFromDevice\r\nCopyMTP\r\nChromeInject\r\nDisableChrome\r\nRarFolder\r\nSendUSBList\r\nSignoutSkype\r\nStealUSB\r\nStartFileMonitor\r\nSendFileMonLog\r\nGetUSBMONLIST\r\nGetFileMONLIST\r\nStopUSBMonitor\r\nhttps://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america\r\nPage 6 of 9\n\nSearchMain\r\nStopSearch\r\nStopFileMonitor\r\nSendinfoList\r\nEnableAndLoadCapList\r\nDisableMouseCapture\r\nAddAutoFTPToDB\r\nDeleteAutoFTPFromDB\r\nExecuteTV\r\nExecuteAMMY\r\nDDOSON\r\nExecuteTVNew\r\nInstallMac\r\nUnzipFile\r\nGenerateOfflineDB\r\nGetDDSize\r\nRECSCREEN\r\nStartLive\r\nPREEW\r\nUnpacked bandook samples\r\n1a2ff4a809b5a3757eaa05dc362acb2b227a7d02cb13d74c17d850d44181cf04\r\nPacked Bandook Samples\r\n051495d208bad010334f14c162600b66c7ef437ae3f6bd037e39bbfc4ccdb415\r\n05ebf95d8f31364facffaba40b4e2d3d7a1ef7183211dc491608577de240dd7e\r\n0928bba82e3399a66d9ec7fb0dfd7321f325ddad95f087452bbafc5c1b1f37fa\r\n0965c040b7459d6d413c810876d8dfb9830da6182e5badfd6fdb57a5a6edf262\r\n0ba40163751d3d93981e8628f82223225fdc3d273a9ea88769414c4fa56c1717\r\n0f746d029fa569f8f940c3a0e63351e3e6e89874197f32d6d201a4ead4a770f0\r\n13163ef0ff1027e664b29fc3b67967d44aa4b84dc762310a5e1567a8fa5e9225\r\n1b66391808a6d74efb0d64095dcb2a6477d92fe243d8651ef1bed9c89df86ad1\r\n1c36c4baf5d2e3cf42ff3a9088dc554e33f620dc09fabf60d899075dd28bc025\r\n1dff1a28d786690661abc41f0e71c05d80a73b0b6f8899fb88101b2a5c3b091f\r\n2009b5e99ffe57bec2440ef3eecab14f076ad1786007b2f2d3750f1df5e7c36f\r\n21e75eff0a9499f4c41491821eb6429e450a83ee7659052417276ddaae6c0cba\r\n2593acc084419e0f7b249fc6e1bd626e0782e3466f6b143fd2543b28b4bfb622\r\n28f61daa127cd988b8615fc924d67b0e645b66bb185bd72e326417480bd23de3\r\n2aab3b73337dd50d8cbab955db6e0e1345ae0a8e24dbcb3440fdd0189a31d80b\r\n2c0d1f7a3d2186b31b36f99e7091d622f10d0ed5b6e54bafe0b116f5a6fab5ab\r\n2cd1f9c3348eb8ae6e3975c0e5449ac8a780d2adfccbddac568f1f5fef2b2d8b\r\n2e738d147f9816366ba47daeee9194c69bc9106c9bc582b81eca19692ba811e2\r\n3a31234da1745a9861f3ae780e222ad18e81844abe0f13e068f4b532af1c209a\r\n41bc659baba8cb340cafa2217c39b5d1e31fe1a3e7f143ccc2315ed32430f4d5\r\n48f0fe5523ab829e6ed4d9c8d001e257430de823ff42bf087883180118c4cb35\r\n4a5a794a33c30694fbb5ddde47fce30eece544739bba3e91e83bd2b1bb895989\r\n4b52781e2aad22679a91a65700b638d58b529c3a67ee81a1d8a466760bc43926\r\n4e0a7e0ed2b44214760ba6638b3eb70cbb8d4a229a5539d6ac26f38e0b7df549\r\nhttps://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america\r\nPage 7 of 9\n\n4ee8dee9ab57ddb049969a4602e7e058898d7a8fe762e43ec65ca7a6684bbae5\r\n503f9c9fd3fcec0a26bb75ecac77209ce7081792fdd6837c83a3a120d8def3e4\r\n54772c69367903fbf64322733f6b2f7425fdef169e42dd6f33da1bad4f973f51\r\n64d1f9539a9c3dd6c93a0bd2a2ab1b9650b3cc18a13d0f2536e035357899d7eb\r\n75f4ea3d11cf9dc790c188f9ad63376f799de03983df1df1c2455d763b62c522\r\n7c01580972c59fde937eef7d038edf34ae4217a62a104d75536494b69b8247c4\r\n7d1bd29643f949007fd093030d3274e3467267048bdf008e0191947a67edef01\r\n89b7696c2ad55743c22dae4b28f5588571f27d695000ac7d634f6aaabe52b390\r\n9afd4654b3d0b09392b4c884740efe455ae393ed3b6aef18150f6504970390e6\r\n9cd898cc6682a4fdc7618585715890cdf812c9e28f78bdc44a065afc05865071\r\n9ee48b8992988aa82fd9f3db98429c5f6a8066cccecb98db961ef121bdabb942\r\na074383dc5f22f659f9c1de66831b520cd0a307ef6a5b01ffc53997df7aa718b\r\na0d63cb3d6a9087b9a71abc8ce31d5d80774c0edb35ce56a371de4151e9b2f5a\r\na44be2bfb30bbdcc04fc33339abd60d4cdeded1a46542fc9b1394928229cc18a\r\nac4ebcf88525c6ea966b4fe8d183cb2261d0419b75640e67cbfc3a2ae9ddc739\r\nb079f2c81638d23c59c0c04c9e2b6caf02e8bac37746d1cded77b4638bd025be\r\nb3ac90ce7995ac2c70c310cc369ceaf70e29ab5e7d098a363b6431ae306949f3\r\nb5404a3c626150c7224cf37bffa68f6bd1b9040ba7cf0ca3a3cc9aa40a6a1df9\r\nb8cbbcc44782202a04475244bdd862ff2ccb80855cc157eb562beffebe417c33\r\nbb42e80c74a1671ce1159806436c9c0ffb78078050676a5b63b3d3c40948f38a\r\nc2cefbd20085e81a87ad49fb661f808bc937700b894f4bf4937ae32b0a3d37a2\r\nc9bedb88c60aa6723e4d6d9894cdd484df4ecedbf653da8348d9675da22dcc35\r\nca67528ba276f8f3c85a40fdbb8db182f85fe36d7eb6088041e16c547f381be0\r\ncc3284a5512916f736dda51fe76e6b0a35f97efbe18d55385120338776854c55\r\nd27d0748b818b6d443e175c506284b3b33e2379dc20a38bad61e9b6b940048e4\r\nd819faa902e7cd74680a334ab7bcd156df8c9d99078bd62ecdf98d364804712c\r\nd8775fce1a11f8a891675ab591170aba7338ce17340de24332e146267e3f4f3e\r\ndb147eb3e95d70e1a4bb246bef7a02dd16eb706e587ef263e05b083afe8f61b4\r\ndb9ec59e23d8848bf3dee499edc1eeea8060fa359478ebbcd8172c5900d9e48a\r\ndbfb45bd9a3f2dd649fa657a190b542e3dfbcb253612216e484bccbd91fdccab\r\ne63a5fb04d995a6835b925fc240635323464de07fd4cae76324e7f03e13d8080\r\ne6af856627d8796abbdbd1380b4441759be609fa36235a703ad069710ac3dba5\r\nea720e0eb9c65489938dc899237e298c0f13b43b8f1e16478b23cc0a5eabd02d\r\nf2cc4d82e5019783286ac9722dc39047d9128ff5175208a01bfee06c8023487b\r\nf39087c5ee2e1c592732eb870157e0cb4473b9b70e45eb0bd8244e52c23c5668\r\n4d50d9c16c5fd8220f4b120ef947d0d7f90d04ae23ca163778dde615f19cabb4\r\nd1031a8e6e33a27016a3d80862585328a69f5ae74e5d16ad844182c189e513e2\r\n0e6f5c6bcc2bea274b600ea0f3608185369d657d2750da7c63a8b36538c3c6ba\r\n7ca1beb6ebe4d00b6e129713b95d898f984da6277e5fbfbb8f4a8d59076c9fa2\r\n5e5324dbf854b9eb9b6d52ff5949e8a8f9d8054ad7391456ab7520b03932e456\r\n5c4833a0cce81a96416e01a861506364b64070bc33106a18b444f5b7b5bb4296\r\nF742a398eb7d3f6af2dc30e67e9d163224e98d437bdf91fb15bb76d40bf36956\r\nD1031a8e6e33a27016a3d80862585328a69f5ae74e5d16ad844182c189e513e2\r\n0e6f5c6bcc2bea274b600ea0f3608185369d657d2750da7c63a8b36538c3c6ba\r\n5e5324dbf854b9eb9b6d52ff5949e8a8f9d8054ad7391456ab7520b03932e456\r\n5c4833a0cce81a96416e01a861506364b64070bc33106a18b444f5b7b5bb4296\r\nf075ce4c940411bb36da70f18b8dc5d1db94350abc029979d435385ce753e785\r\nhttps://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america\r\nPage 8 of 9\n\n4375b6a9de977b7c56bacee03f435052e772789022b1dc759bf6d7e28953b683\r\nE1778d20e7cfc282e73740ae884dc4dccdb439b46558cb96d1d015f8a8807719\r\n6ed505600f4963a0fe2a11fed1a6526be1dcf40bf7563f3641a49688ecba249c\r\n86a076ba12148527863fd9ea78f0d146a15d13f8d35d9d77a738c221f5b0e9f6\r\nF07d90d7f9306a00ba979fc4ebc3dcbf9149cdd9cc86ad9caf3036a19019189b\r\nB1cbd4105b4f90a557ab17684e4cb34961e467228c738777a4daf170ef343d97\r\nF44243f05cc74db860ff7389635754d2cacbc5b0689131d8049d38987e2b0ce3\r\nbb1d607a2b7b9c9ba7af03cfa6dfb5237c021154130ae71bf271b640b8773146\r\n353dcc4479725da180b0c12fdc433d46fddefdced3a967e7fe528d030a61a791\r\n8a17dd089005204473ae8e1f298a5caf210db82961ef600da3653e4c3afbf314\r\nDd031eb32ea22e1ac6d3cacec042a2641878cc67e3b4b8482f32dc20e53e348d\r\n013e252190aaa4b43bcb5ffe13d7b664873ddde38f8df29980d6599c89cb1c78\r\n347de6ac8612bc2b291ceedba11356b5dd8b4b0d6b68357f6903cc676146fbd7\r\n86d0e2434757f8fe71770b7d43b0112e780e420b7c9edeb527d1fd0cd02c0c61\r\n9c540d911f6d17033e59fe3bb09181675cb7123b725f2b4ca1089f9351abc3df\r\ncfd84f553f34d635bbb6ea04375b8090324e653b40e26b17731c5ead7c38406e\r\nfbc8faeaddacba22fb306021c849608a26250e5ff464ed7c630675e87f1c3d16\r\nSource: https://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america\r\nhttps://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america" ], "report_names": [ "uncle-sow-dark-caracal-latin-america" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d4347dfe-2489-4fe4-8097-f4be33aadac2", "created_at": "2022-10-25T16:07:23.973289Z", "updated_at": "2026-04-10T02:00:04.815324Z", "deleted_at": null, "main_name": "Operation Manul", "aliases": [], "source_name": "ETDA:Operation Manul", "tools": [ "Bandok", "Bandook", "JRat", "Jacksbot" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "8de10e16-817c-4907-bd98-b64cf4a3e77b", "created_at": "2022-10-25T15:50:23.552766Z", "updated_at": "2026-04-10T02:00:05.362919Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "Dark Caracal" ], "source_name": "MITRE:Dark Caracal", "tools": [ "FinFisher", "CrossRAT", "Bandook" ], "source_id": "MITRE", "reports": null }, { "id": "4a62c0be-1583-4d82-8f91-46e3a1c114e6", "created_at": "2023-01-06T13:46:38.73639Z", "updated_at": "2026-04-10T02:00:03.083265Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "G0070" ], "source_name": "MISPGALAXY:Dark Caracal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af704c54-a580-4c29-95f2-82db06fbb6f9", "created_at": "2022-10-25T16:07:23.525064Z", "updated_at": "2026-04-10T02:00:04.64019Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "ATK 27", "G0070", "Operation Dark Caracal", "TAG-CT3" ], "source_name": "ETDA:Dark Caracal", "tools": [ "Bandok", "Bandook", "CrossRAT", "FinFisher", "FinFisher RAT", "FinSpy", "Pallas", "Trupto" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434285, "ts_updated_at": 1775792056, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a29ecfc9a01ac03e75296566ac5f8b39abf910c8.pdf", "text": "https://archive.orkl.eu/a29ecfc9a01ac03e75296566ac5f8b39abf910c8.txt", "img": "https://archive.orkl.eu/a29ecfc9a01ac03e75296566ac5f8b39abf910c8.jpg" } }