A new variant of the Poco RAT malware has emerged as a significant threat to Spanish-speaking organizations across Latin America, leveraging sophisticated PDF decoys and cloud-based delivery systems to infiltrate networks and exfiltrate sensitive data.
Linked to the cyber-mercenary group Dark Caracal, this campaign represents an evolution of tactics previously associated with the Bandook remote access trojan, now adapted for broader phishing operations and financial espionage.
The Attack Chain
The campaign begins with phishing emails disguised as financial notifications, often referencing unpaid invoices or tax documents.
.png
)
Attackers attach PDF files mimicking legitimate organizations, including Venezuelan banks like BBVA Provincial and industrial firms such as Global Supply Services.
These decoys use blurred graphics and metadata fields populated with Spanish-language author names like “Rene Perez” and “Keneddy Cedeño” to appear authentic while evading initial detection.
When opened, the PDFs redirect victims to shortened URLs hosting malicious .rev archives on platforms like Google Drive and Dropbox.
This technique exploits trust in legitimate cloud services—only 7% of decoy documents triggered antivirus alerts during the 2024–2025 campaign.
The .rev files, originally designed for repairing corrupted archives, now serve as stealth vehicles for Poco RAT’s dropper—a Delphi-based executable that avoids disk writes by injecting directly into processes like iexplore.exe.
Technical Evasion and Expanded Targeting
Dark Caracal’s latest tools employ multi-layered obfuscation:
- Dynamic API resolution hides malicious function calls
- Twofish encryption with per-build keys secures embedded strings
- Exception-handler hijacking redirects code execution to bypass debuggers
The group has expanded its industry targets compared to previous Bandook campaigns, with 49% of recent attacks impersonating technology firms—a 33% increase from 2023.
Financial organizations (10%) and manufacturing enterprises (10%) remain key targets, reflecting continued interest in intellectual property and transaction records.
Poco RAT’s Espionage Toolkit
Once deployed, the malware conducts comprehensive reconnaissance:
- Environment profiling: Detects virtualization through registry checks (SOFTWARE\Oracle\VirtualBox) and port scanning (VMware’s 0×5658)
- Data collection: Harvests usernames, OS versions, and RAM metrics into structured reports using “@&)” delimiters
- C2 communication: Maintains persistence through heartbeat messages to IPs like 193.233.203.63 while cycling through ports 6211–6543 to avoid blocking
Command execution capabilities include:
- Screen capture (T-05)
- Fileless payload execution (T-03)
- Passthrough command prompt access (T-06)
Infrastructure Links to Bandook Operations
Analysis by Positive Technologies reveals overlapping infrastructure between Poco RAT and Dark Caracal’s legacy tools (Table 5):
- AS200019 (AlexHost SRL): Hosts both Poco RAT (185.216.68.121) and Bandook C2s (185.216.68.143)
- AS44477 (Stark Industries Ltd.): Shared by Poco RAT (94.131.119.126) and Bandook servers since 2023.
This infrastructure synergy enabled a smooth transition between malware families, with Poco RAT samples increasing 36% year-over-year (483 vs. 355 Bandook files).
As Dark Caracal continues refining its tactics, the blend of social engineering and cloud abuse in this campaign underscores the need for defense-in-depth strategies combining user education and technical controls.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
