Cybersecurity researchers at Positive Technologies have uncovered a significant tactical evolution in the operations of Dark Caracal, a notorious advanced persistent threat (APT) group active since 2012. The group has pivoted to deploying a new backdoor called Poco RAT, marking a substantial shift in their attack methodology and technical capabilities.
Sophisticated Campaign Targeting Spanish-Speaking Nations
The investigation reveals a large-scale cyber campaign specifically targeting Spanish-speaking countries in Latin America. Venezuela, Chile, Dominican Republic, and Colombia have emerged as primary targets, demonstrating Dark Caracal’s strategic focus on this region. The group’s new Poco RAT malware provides comprehensive remote access capabilities to compromised systems, enabling attackers to maintain persistent control over infected devices.
Advanced Social Engineering Tactics and Delivery Methods
Dark Caracal has refined its social engineering approach, implementing sophisticated phishing campaigns that leverage deceptive financial documents. A notable technical innovation in their strategy involves the use of specially crafted decoy documents with blurred content that successfully evade antivirus detection. When victims interact with these documents, they unknowingly trigger the download of a .rev archive containing the Poco RAT dropper.
Technical Analysis and Threat Evolution
Research data indicates a significant shift in Dark Caracal’s malware deployment patterns. Researchers have identified 483 unique Poco RAT samples since June 2024, substantially exceeding the 355 Bandook samples detected between February 2023 and September 2024. Technical analysis reveals that Poco RAT shares numerous characteristics with its predecessor Bandook, including similar network infrastructure patterns and command-and-control mechanisms.
Infrastructure and Capability Assessment
The malware exhibits sophisticated features including file manipulation capabilities, keylogging functionality, and advanced persistence mechanisms. Security analysts have observed shared command-and-control infrastructure between Poco RAT and previous Dark Caracal operations, providing strong evidence of the group’s continued evolution rather than a complete operational overhaul.
Given Dark Caracal’s historical focus on targeting government entities, military institutions, journalists, and corporate organizations, this tactical shift represents a significant escalation in the threat landscape. Security professionals recommend implementing enhanced network monitoring solutions, updating threat detection systems with new Poco RAT indicators of compromise, and conducting regular security awareness training focusing on sophisticated phishing techniques. Organizations should also strengthen their email security protocols and implement strict document handling policies to mitigate risks associated with this evolving threat.
