The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT

Authors:

Denis Kazakov
Cyberthreat Intelligence Specialist, Positive Technologies Expert Security Center

Sergey Samokhin
Junior Specialist of the Sophisticated Threat Research Group, Positive Technologies Expert Security Center

• Dark Caracal has added a new weapon to its arsenal. Poco RAT extends a campaign that began in 2022, continuing its focus on Spanish-speaking targets in Latin America.
• The group uses custom-built tools unavailable to other cybercriminals.
• Dark Caracal uses a Bandook-based backdoor for mass distribution, while the original malware is reserved for select targets.
• Dark Caracal sticks to familiar methods. Its attack chain has gone unchanged for years, still relying on legitimate services to deliver malicious payloads.

In early 2024, analysts at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious sample. The cybersecurity community named it Poco RAT after the POCO libraries in its C++ codebase. At the time of its discovery, the sample had not been linked to any known threat group.

The malware came loaded with a full suite of espionage features. It could upload files, capture screenshots, execute commands, and manipulate system processes.

Patterns in its tactics, techniques, and procedures linked it to a known player. Dark Caracal, the group behind Bandook, was a clear match. The dropper used in Poco RAT closely resembled Bandook's, reinforcing the connection

Throughout 2024, PT ESC's cyber threat intelligence systems monitored a campaign deploying Poco RAT against corporate networks. The phishing emails and malicious attachments were written in Spanish, pointing to a clear focus on Spanish-speaking users. The attack chain is illustrated in the diagram below:

The victim receives an email claiming an outstanding invoice requires payment.

An analysis of the attached decoy documents identified the industries that attackers mimic to make their schemes more convincing.

The email attachment includes a decoy document, usually in PDF format, though HTML versions appear occasionally. It is designed to imitate documents from organizations in the targeted industries.

Tools such as Adobe Acrobat Pro DC and Canva are commonly used to create these files.

Metadata analysis has uncovered author and user names (PDF:Author), including "trabajo", Rene Perez, Keneddy Cedeño, and Mr. Pickles. Aside from "trabajo", which translates to "work" in Spanish, these names provide an easy way to identify decoy documents linked to the group.

Decoy documents often slip past antivirus detection. Their filenames mimic financial transaction records between the victim and the impersonated organization. Blurred or low-quality visuals are common, possibly to lure less experienced users into opening them.
Once opened, the file redirects the victim to a link that triggers the automatic download of a .rev archive from legitimate file-sharing services or cloud storage platforms. This approach makes it harder to detect and block the malware's source.

Files with the .rev extension are generated using WinRAR and were originally designed to reconstruct missing or corrupted volumes in multi-part archives. Threat actors repurpose them as stealthy payload containers, helping malware evade security detection.

Table 1. Examples of decoy document names

The threat group distributes malicious .rev archives using several methods:

• Cloud storage services such as Google Drive and Dropbox. Link-shortening services like bit.ly, is.gd, ja.cat, and Rebrandly are used to obfuscate URLs.
• CDN storage solutions. Each attack uses a unique directory named after the impersonated organization or related documents. For example, a .rev archive labeled NUEVAFACTURA might be hosted at farmabienoctubre2024.b-cdn.net.

Inside these .rev archives, the dropper file mirrors the name of the decoy document, making it appear more legitimate to the victim.

Tucked inside the .rev archive, the dropper handles the heavy lifting. It launches Poco RAT while keeping a low profile, skipping the usual footprint by avoiding disk writes. This stealth-first approach makes it harder to catch. Built in Delphi, the dropper has stayed the same since its debut.

In 2024, they started tampering with executable metadata, swapping out copyright and product fields for names of well-known companies. Files that claim to be from Disney, Lockheed Martin, or Morgan Stanley might seem more trustworthy at a glance. The VersionInfo field became a social engineering tool, nudging victims into a false sense of security.

The most commonly impersonated industries include:

• Technology companies—49%
• Consulting firms—18%
• Financial organizations—10%
• Manufacturing enterprises—10%
• Service sector organizations—7%
• Retail companies—6%

Instead of launching Poco RAT the obvious way, the dropper injects it into a legitimate process (iexplore.exe and cttune.exe).

A close look at Bandook and Poco RAT droppers shows the same tricks at play. Both malware families use dynamic API resolution to make detection and debugging more difficult. The dropper deliberately accesses an invalid memory address, triggering an exception. The exception handler reroutes execution to a function already stored in the stack.

All embedded strings are encrypted with the Twofish algorithm and encoded in Base64. Each dropper build generates a unique encryption key, derived from a Ripemd-160 hash of a fixed string. An example of such a key:

VrKA9qz1ytZwY2sFxkQ0rE1FLrVW2T9fHYQeakW2rz9sLFxq4yGiCgA1KbFwZWfohs9Of.

The payload hidden in the resource section follows a similar process before execution, but with a separate decryption key.

Poco RAT is a backdoor designed to give attackers full control over an infected system. It allows them to navigate the file system, execute OS commands, launch executable files, and take screenshots. Every analyzed Poco RAT build has been packed with UPX (Ultimate Packer for Executables), shrinking the average file size from 24 MB to 13 MB. The size increase comes from its use of POCO, an open-source C++ library set built for network and internet applications.

The malware keeps an eye on itself by running a separate monitoring thread. Its activity falls into two distinct states:

• Checking time refers to monitoring how long the malware has been active, while collecting timestamps and assessing the system environment.
• Disconnecting you now is the state in which the connection with the victim's system is severed. This could indicate that the malware is shutting down or trying to avoid detection.

Once deployed, Poco RAT determines which command and control (C2) server to connect to. After establishing a link, the server regularly pings the malware with heartbeat messages to maintain persistence. Poco RAT then pulls system information using standard WinAPI functions, gathering:

• Username
• Computer name
• Windows OS version
• Free disk space
• Available physical memory (RAM)
• Current system time

Before reporting back to its C2 server, the malware checks if it's running in a virtualized environment. It looks for VirtualBox by scanning the registry path SOFTWARE\Oracle\VirtualBox and probes port 0×5658, a telltale sign of VMware. If nothing raises red flags, it sends all collected data to the server.

The gathered information is packed into a structured buffer, separated by the delimiter @&). An example format looks like this:

N35*@&)username*@&)pc_name*@&)win_ver*@&)free_disk_space*@&)ram*@&)time*@&)

The table below outlines the full set of commands that Poco RAT can execute.

Table 2. Command list

Poco RAT does not come with a built-in persistence mechanism. Once initial reconnaissance is complete, the server likely issues a command to establish persistence, or attackers may use Poco RAT as a stepping stone to deploy the primary payload.

An investigation into the campaign's network infrastructure uncovered the C2 servers communicating with the malware samples. Scanning results showed no open ports, active services, or linked domain names.

Table 3. C2 server activity

Over the past year, analysis of malware samples interacting with these C2 servers has made it possible to track the threat group's movement from one server to the next.

Despite the absence of visible open ports, the malware establishes connections with C2 servers through specific ports:

• 94.131.119.126 — 6541, 6542, 6543
• 185.216.68.121 — 6212
• 193.233.203.63 — 6215, 6211

An analysis of Poco RAT uploads to public sandboxes highlights a clear regional focus. Most samples originated from Venezuela, the Dominican Republic, Colombia, and Chile. The high volume of activity in Latin America suggests that this campaign is specifically targeting the region.

Spain does not appear in the statistical data, but it remains a notable target in Poco RAT attacks. The connection is likely tied to language and business ties. Most affected countries are Spanish-speaking, and many Latin American service providers have headquarters in Spain.

For example, we identified decoy documents mimicking BBVA Provincial, a Venezuelan bank whose parent company, Banco Bilbao Vizcaya, is based in Spain. Corporate security solutions at these headquarters likely detect the malware and upload samples to public sandboxes, which could explain the high activity levels observed from Spain.

Dark Caracal has been in the cyber-mercenary business since 2012. It runs attacks for hire, going after government institutions, military organizations, activists, journalists, and commercial entities.

The group relies on Bandook, a remote access trojan that has seen multiple modifications over the years. It remains a flexible and effective tool for targeted operations. Unlike malware floating around underground forums, Bandook is off-limits to outsiders. Only Dark Caracal is known to use it.

A campaign linked to the group surfaced in 2023. It targeted Latin American countries, including Venezuela and the Dominican Republic. The operation followed a familiar pattern, continuing attacks that researchers had previously documented. In 2018, reports from EFF and Lookout exposed similar tactics.

Command-and-control server addresses linked to Dark Caracal are listed in the table below.

Table 4. Network infrastructure

The network infrastructures behind Poco RAT and Bandook campaigns operated within the same Autonomous Systems (AS). This overlap reinforces the connection between the two malware families and their operators.

Table 5. AS overlap in campaigns

The graph shows a clear pattern. As Bandook samples disappear, Poco RAT samples begin to surface, often using the same network infrastructure. The timing suggests more than just coincidence. Dark Caracal may have decided to swap out its old tool for something new.

Campaigns linked to Bandook and Poco RAT share a few signature traits. These include:

• Blurred decoy documents and link-shortening services
• Legitimate cloud storage services for payload distribution
• A focus on Spanish-speaking countries in Latin America
• Spanish-language content and financial transaction themes to make files look legitimate

Similarities in attack chains, malware functionality, and network infrastructure point to a clear conclusion. This campaign is a continuation of Dark Caracal's operations. The group appears to be adjusting its tactics to stay ahead of security measures.

Over an eight-month investigation from June 2024 to February 2025, researchers identified 483 malicious samples. This marks a sharp increase from the 355 Bandook samples detected between February 2023 and September 2024. The numbers suggest a shift in strategy, moving toward large-scale phishing campaigns powered by Poco RAT.

An analysis of decoy documents and impersonated industries reinforces another key takeaway. This isn't just about espionage. Financial motives are likely driving the campaign.

YARA rules

Behavioral rules (malware)

Behavioral rules (suspicious)