Skip to main content
HashnodeFPT Metrodata Indonesia Cyber SecurityFPT Metrodata Indonesia Cyber Security

Command Palette

Search for a command to run...

Inside Dark Caracal_s Latest Campaign_ The Rise of Poco RAT

Published
4 min read
Inside Dark Caracal_s Latest Campaign_ The Rise of Poco RAT
F
FPT Metrodata Indonesia

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.

S
Siti Rahmiati K.

Summary

Cyble Research and Intelligence Labs came across a blog published by Positive Technologies Expert Security Center (PT ESC) about a new malware called Poco RAT. Detected in early 2024, Poco RAT got its name from the POCO libraries in its C++ codebase. Initially unlinked to any known threat group, its tactics and techniques soon pointed to Dark Caracal, the group behind the Bandook malware. Poco RAT is equipped with powerful espionage features, including file uploading, screenshot capturing, command execution, and system process manipulation.

Dark Caracal has been running a campaign since 2022, focusing on Spanish-speaking targets in Latin America. The group uses custom-built tools that are not available to other cybercriminals. They rely on a Bandook-based backdoor for broad distribution, while the original Poco RAT is reserved for select, high-value targets. Sticking to familiar methods, Dark Caracal's attack chain has remained unchanged for years, still leveraging legitimate services to deliver malicious payloads.

Technical Details

In 2024, researchers tracked a campaign using Poco RAT to target corporate networks, focusing on Spanish-speaking users. The attack started with phishing emails containing malicious attachments in PDF or HTML format. These decoy documents mimicked industries like technology, finance, consulting, manufacturing, services, and retail. Created with tools like Adobe Acrobat Pro DC and Canva, the documents included metadata with names like "trabajo," Rene Perez, Keneddy Cedeño, and Mr. Pickles, linking them to Dark Caracal.

The attack chain began with a phishing email about an unpaid invoice. When opened, the decoy document redirected victims to download a .rev archive from legitimate cloud services like Google Drive or Dropbox. These archives, made with WinRAR, hid the dropper file, which stealthily launched Poco RAT.

The dropper, built in Delphi, avoided disk writes and altered executable metadata to look like files from well-known companies such as Disney and Morgan Stanley. Instead of running Poco RAT directly, the dropper injected it into legitimate processes like iexplore.exe and cttune.exe, using advanced techniques to avoid detection.

Poco RAT itself is a backdoor that offers complete control over infected systems. It can navigate the file system, execute commands, run applications, and capture screenshots. The malware uses the Twofish algorithm for encryption and a Base64 encoding scheme, generating a unique key for each dropper build. Before communicating with its command-and-control (C2) server, Poco RAT checks for virtual environments to avoid analysis. The malware uses legitimate ports and services to maintain persistence, often switching between different C2 servers to evade detection. Most observed samples originated from Venezuela, the Dominican Republic, Colombia, and Chile, with a clear focus on Latin America.

Dark Caracal, a known cyber-mercenary group active since 2012, is behind Poco RAT. The group has a history of targeting government institutions, military organizations, activists, journalists, and commercial entities, often using the Bandook malware. The infrastructure for Poco RAT and Bandook campaigns showed overlap, with both using the same Autonomous Systems (AS) and similar attack techniques. The shift from Bandook to Poco RAT suggests Dark Caracal may have

upgraded its toolkit while continuing to focus on Spanish-speaking countries and leveraging Spanish-language financial transaction themes for legitimacy.

Recommendation

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

● Implement robust phishing detection tools and conduct regular security awareness training to help users recognize suspicious emails and attachments.

● Use advanced antivirus solutions and endpoint detection and response (EDR) tools to identify and block malware, including uncommon file types like .rev archives.

● Continuously monitor network traffic for unusual activity and isolate critical systems to prevent lateral movement in case of an intrusion.

Conclusion

The attack methods, malware behavior, and network setup all show that this campaign is a continuation of Dark Caracal's operations. During an eight-month investigation (June 2024 to February 2025), researchers found 483 malicious Poco RAT samples, up from 355 Bandook samples detected between February 2023 and September 2024. This increase suggests Dark Caracal is focusing on large-scale phishing campaigns using Poco RAT to evade security. The analysis of decoy documents and targeted industries hints that the group's motives might include not just espionage but also financial gain.

#dark-caracal#poco-rat#campaign#remote-access-trojan
3 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com