Dark Caracal Uses Poco RAT to Target Spanish-Speaking Enterprises in Latin America - Related to cyberthreats, uses, as, it, offline

Polish Space Agency offline as it recovers from cyberattack

​The Polish Space Agency (POLSA) has been offline since it disconnected its systems from the Internet over the weekend to contain a breach of its IT infrastructure.

After detecting the attack, the agency reported the incident to relevant authorities and launched an investigation to assess its impact.

"There has been a cybersecurity incident at POLSA. The relevant services and institutions have been informed. The situation is being analyzed," POLSA stated on Sunday.

"In order to secure data after the hack, the POLSA network was immediately disconnected from the Internet. We will keep you updated."

POLSA has not disclosed the nature of the security incident and has yet to attribute the attack to a specific threat actor.

While no updates have been , insights inside the agency told The Register that staff was asked to use phones after the attackers compromised POLSA's email systems.

The agency now works with the Polish Computer Security Incident Response Team (CSIRT NASK) and the Polish Military Computer Security Incident Response Team (CSIRT MON) to restore impacted services.

"In connection with the incident, the systems under attack were secured. CSIRT NASK, together with CSIRT MON, supports POLSA in activities aimed at restoring the operational functioning of the Agency," mentioned Krzysztof Gawkowski, Poland's Minister of Digital Affairs.

"Intensive operational activities are also underway to identify who is behind the cyberattack. We will publish further information on this matter on an ongoing basis."

Established in September 2014, POLSA is a European Space Agency (ESA) member. Its priorities include supporting the Polish space industry and increasing Polish defense capabilities through satellite systems.

It also helps Polish entrepreneurs obtain funds from the European Space Agency (ESA) and works with other ESA Members, the EU, and other countries on various space exploration projects.

A previously undocumented polyglot malware is being deployed in attacks against aviation, satellite communication, and critical transportation organiz......

New research has uncovered further links between the Black Basta and Cactus ransomware gangs, with members of both groups utilizing the same social en......

Broadcom warned end-clients today about three VMware zero-days, tagged as exploited in attacks and .......

Look up: The new frontier of cyberthreats is in the sky

In November 2024, a series of unidentified drones appeared over New Jersey. This wasn’t the stuff of UFO enthusiasts or conspiracy theorists. The drones were real, and , law enforcement officers and members of the [website] military.

Within a few weeks, sightings spread into New England, New York and Pennsylvania. Drones started to appear in restricted military airspace. The military expressed it wasn’t operating the drones but that they didn’t pose a threat.

In late January 2025, the White House sent a similar message, noting that the New Jersey drones were “authorized to be flown by the Federal Aviation Administration (FAA) for research and various other reasons.”.

Concerns over unidentified drones persist.

Still, concerns over drones remain; so much so that the chief of the North American Aerospace Defense Command (NORAD) told lawmakers in February that the Pentagon needed more resources to deal with drones flying over [website] military installations.

“The primary threat I see for them in the way they’ve been operating is detection and perhaps surveillance of sensitive capabilities on our installations,” NORAD chief Gen. Gregory Guillot revealed during a Senate Armed Services Committee hearing.

So, there are enough unidentified and suspicious drones that people with real power to make decisions are paying close attention to them. The issue is also global. In January, the German cabinet approved a plan to shoot down drones that flew over their military installations.

Attackers target drone manufacturers in Taiwan.

There is reason to worry given the example of a story out of Taiwan. Attackers there used malware to spy on drone manufacturers’ corporate computers and likely exfiltrate data. Taiwan is home to some of the world’s most advanced drone makers, and drone production on the island has ramped up significantly since 2022.

The attackers used a dynamic-link library (DLL) sideloading technique to install a persistent backdoor with complex functionality on infected systems. They brought three files to the system: a legitimate copy of Microsoft Word 2010, a signed [website] file and a file with a random name and file extension.

The attackers used Microsoft Word to sideload the malicious wwlib DLL. The DLL acts as a loader for the actual payload, which resides inside the encrypted file with a random name.

With command and control capabilities installed as part of the breach, attackers gained access to organization PCs within drone manufacturers. What’s particularly interesting is how attackers managed to enter a victim’s system: probably through enterprise resource planning (ERP) software.

The first appearance of the malicious files was inside the folder of a popular Taiwanese ERP software called Digiwin. The Acronis Threat Research Unit (TRU) found evidence of multiple components of Digiwin deployed in target environments. Digiwin, established in Taiwan but now based in mainland China, is the leader in Taiwan’s ERP market.

Attackers replaced Digiwin’s original [website] execution file with [website] [website] is part of Digiwin’s auto upgrade workflow, but attackers caused it to launch Microsoft Word 2010 instead, which loaded a backdoor that could carry out malicious actions.

Some of Digiwin’s components contain known vulnerabilities, and it seems very likely that exploitation or a supply chain attack originated in the ERP software.

In August 2022, drone manufacturing in Taiwan got a jumpstart. Taiwan’s central government opened UAV AI Innovation Application R&D Center in Chiayi County and offered a NT$50 million tender for 3,000 commercial-grade drones to be used for military applications.

The race was on. There are now about a dozen companies in Taiwan participating in drone manufacturing, and even more when taking into account the island’s global aerospace industry.

Taiwan’s allegiance to the [website] and strong technological background make the island a prime target for adversaries interested in military espionage or supply chain attacks.

The extreme growth of the drone industry in the past decade also had an unfortunate side effect: even consumer models are used for military purposes now. They are capable of carrying smaller weapons, as footage reveals from ongoing conflicts around the world.

An investigation into the attacks revealed the use of a long-lasting digital certificate from a business based in Taiwan. All command and control servers, as well as all the companies targeted, were located in Taiwan. As such, it seems likely that this strain of drone attacks is a highly sophisticated, targeted attack with careful planning and execution by the threat actors.

The Taiwan attacks demonstrate that American officials and other global watchdogs worried about unidentified drones have legitimate concerns. With drone manufacturers under attack, vigilance isn’t just a good idea. It’s a necessity.

The Acronis Threat Research Unit (TRU) is a team of cybersecurity experts specializing in threat intelligence, AI and risk management.

The TRU team researches emerging threats, provides security insights, and supports IT teams with guidelines, incident response and educational workshops.

We’ve all heard a million times: growing demand for robust cybersecurity in the face of rising cyber threats is undeniable. Globally small and medium-......

Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.

After a recent dip, ransomware attacks a......

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organizations ......

Dark Caracal Uses Poco RAT to Target Spanish-Speaking Enterprises in Latin America

The threat actor known as Dark Caracal has been attributed to a campaign that deployed a remote access trojan called Poco RAT in attacks targeting Spanish-speaking targets in Latin America in 2024.

The findings come from Russian cybersecurity corporation Positive Technologies, which described the malware as loaded with a "full suite of espionage attributes."

"It could upload files, capture screenshots, execute commands, and manipulate system processes," researchers Denis Kazakov and Sergey Samokhin mentioned in a technical investigation .

Poco RAT was previously documented by Cofense in July 2024, detailing the phishing attacks aimed at mining, manufacturing, hospitality, and utilities sectors. The infection chains are characterized by the use of finance-themed lures that trigger a multi-step process to deploy the malware.

While the campaign was not attributed to any threat at that time, Positive Technologies expressed it identified tradecraft overlaps with Dark Caracal, an advanced persistent threat (APT) known for operating malware families like CrossRAT and Bandook. It's operational since at least 2012.

In 2021, the cyber mercenary group was tied to a cyber espionage campaign dubbed Bandidos that delivered an updated version of the Bandook malware against Spanish-speaking countries in South America.

The latest set of attacks continue their focus on Spanish-speaking individuals, leveraging phishing emails with invoice-related themes that bear malicious attachments written in Spanish as a starting point. An analysis of Poco RAT artifacts indicates the intrusions are mainly targeting enterprises in Venezuela, Chile, the Dominican Republic, Colombia, and Ecuador.

The attached decoy documents impersonate a wide range of industry verticals, including banking, manufacturing, healthcare, pharmaceuticals, and logistics, in an attempt to lend the scheme a little more believability.

When opened, the files redirect victims to a link that triggers the download of a .rev archive from legitimate file-sharing services or cloud storage platforms like Google Drive and Dropbox.

"Files with the .rev extension are generated using WinRAR and were originally designed to reconstruct missing or corrupted volumes in multi-part archives," the researchers explained. "Threat actors repurpose them as stealthy payload containers, helping malware evade security detection."

Present within the archive is a Delphi-based dropper that's responsible for launching Poco RAT, which, in turn, establishes contact with a remote server and grants attackers full control over compromised hosts. The malware gets its name from the use of POCO libraries in its C++ codebase.

Some of the supported commands by Poco RAT are listed below -.

T-01 - Send collected system data to the command-and-control (C2) server.

T-02 - Retrieve and transmit the active window title to the C2 server.

T-03 - Download and run an executable file.

T-04 - Download a file to the compromised machine.

T-05 - Capture a screenshot and send it to the C2 server.

T-06 - Execute a command in [website] and send the output to the C2 server.

"Poco RAT does not come with a built-in persistence mechanism," the researchers expressed. "Once initial reconnaissance is complete, the server likely issues a command to establish persistence, or attackers may use Poco RAT as a stepping stone to deploy the primary payload."

Cybersecurity researchers have discovered an updated version of an Android malware called TgToxic (aka ToxicPanda), indicating that the threat actors ......

The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday warned of renewed activity from an organized criminal group it tracks as UAC-0173......

Over 1,000 websites powered by WordPress have been infected with a third-party JavaScript code that injects four separate backdoors.