🇱🇧

Dark Caracal

APT Group Information theft and espionage 5 zero-day CVEs ETDA ✓

Also Known As 3 names

ATK 27 TAG-CT3 G0070

Target Countries 19

Countries highlighted in red

Switzerland China Germany France India Italy Jordan Republic of Korea Lebanon Netherlands Nepal Philippines Pakistan Qatar Saudi Arabia Thailand United States Bolivarian Republic of Venezuela Vietnam

Sectors Targeted

Investigation, Guard, and Armored Car Services 56161 Government Healthcare Utilities Offices of Lawyers 541110 Defense Computer Systems Design and Related Services 54151 Manufacturing Media activists, lawyers and journalists Education Financial

Details

Origin 🇱🇧 LB

Last Updated 01 Jun 2022

Malware Families 2

bundestrojaner

Bandook RAT

MITRE ATT&CK 24

T1005 T1021 - Remote Services T1027 T1027.002 T1027.013 T1036 - Masquerading T1059 - Command and Scripting Interpreter T1059.003 T1071 T1071.001 T1078.001 T1083 T1105 T1113 - Screen Capture T1189 T1204 - User Execution T1204.002 T1218 T1218.001 T1547 T1547.001 T1560 - Archive Collected Data T1566 - Phishing T1566.003

Related Zero-Days 5

CVE-2024-50302 CVE-2025-1316 CVE-2025-22224 CVE-2025-22225 CVE-2025-22226

Known Names 4 entries

Dark Caracal Lookout

ATK 27 Thales

TAG-CT3 Recorded Future

G0070 MITRE

Observed Target Countries 21

Based on ETDA data — countries highlighted in red

China France Germany India Italy Jordan Lebanon Nepal Netherlands Pakistan Philippines Qatar Russia Saudi Arabia South Korea Switzerland Syria Thailand USA Venezuela Vietnam

Description

(Lookout) Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information. We are releasing more than 90 indicators of compromise (IOC) associated with Dark Caracal including 11 different Android malware IOCs; 26 desktop malware IOCs across Windows, Mac, and Linux; and 60 domain/IP based IOCs. Dark Caracal targets include individuals and entities that a nation state might typically attack, including governments, military targets, utilities, financial institutions, manufacturing companies, and defense contractors. We specifically uncovered data associated with military personnel, enterprises, medical professionals, activists, journalists, lawyers, and educational institutions during this investigation. Types of data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.

Tools Used 4

Bandook CrossRAT FinFisher Pallas

Operations 3

2012-01 Operation “Dark Caracal” https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

2020 During this past year, dozens of digitally signed variants of this once commodity malware started to reappear in the threat landscape, reigniting interest in this old malware family. https://research.checkpoint.com/2020/bandook-signed-delivered/

2024-06 The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat

Reports & References 2

https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf https://www.dropbox.com/s/qjkcd56v3fhkjou/Whitepaper Dark Caracal Campaign.pdf?dl=0

ETDA Profile

Dark Caracal

Origin

Lebanon

First Seen 2007

Sponsor State-sponsored, General Directorate of General Security (GDGS)

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0070/

View on ETDA APT Groups ↗