Request a Demo
Rewterz
Security Researcher Unveils PoC for Actively Exploited Windows Vulnerability
March 3, 2025
Rewterz
RedLine Stealer – Active IOCs
March 3, 2025

Poco RAT Malware Uses PDF Files for System Intrusion and Data Theft – Active IOCs

Severity

High

Analysis Summary

A new variant of the Poco RAT malware, linked to the cyber-mercenary group Dark Caracal, has emerged as a major cyber threat to Spanish-speaking organizations in Latin America. This campaign leverages phishing emails disguised as financial notifications, using PDF decoys mimicking Venezuelan banks and industrial firms to lure victims. These PDFs redirect users to shortened URLs hosting malicious .rev archives on cloud platforms like Google Drive and Dropbox. By exploiting the trust in legitimate services, attackers evade detection, with only 7% of decoy documents triggering antivirus alerts. The Poco RAT dropper, a Delphi-based executable, injects itself directly into processes like iexplore.exe to avoid leaving traces on disk.

Dark Caracal has introduced sophisticated evasion techniques in this campaign, such as dynamic API resolution, Twofish encryption with per-build keys, and exception-handler hijacking to bypass security tools. The attack scope has expanded, with 49% of recent phishing attempts targeting technology firms, a 33% increase from 2023. Financial organizations and manufacturing enterprises remain key targets, reflecting the group's continued focus on financial espionage and intellectual property theft. This shift in targeting shows Dark Caracal’s evolving tactics beyond their earlier Bandook RAT operations.

Once Poco RAT is deployed, it performs extensive reconnaissance, including virtualization detection through registry checks and port scanning. It collects system details such as usernames, OS versions, and RAM metrics, formatting them into structured reports. The malware communicates with its command-and-control (C2) infrastructure using heartbeat messages to IPs like 193.233.203.63 while cycling through ports 6211–6543 to evade network-based defenses. Key capabilities include screen capture (T-05), fileless payload execution (T-03), and passthrough command prompt access (T-06), enabling attackers to maintain deep persistence within compromised networks.

Infrastructure analysis by the Researcher reveals strong overlaps between Poco RAT and Bandook operations, with both malware families using the same hosting providers. AS200019 (AlexHost SRL) hosts Poco RAT (185.216.68.121) alongside Bandook C2 servers (185.216.68.143), while AS44477 (Stark Industries Ltd.) has served both campaigns since 2023. With Poco RAT infections rising by 36% year-over-year, this attack highlights the growing sophistication of Dark Caracal’s methods. To counter these threats, organizations must implement defense-in-depth strategies, combining advanced technical controls with rigorous user awareness training to mitigate phishing risks and cloud abuse tactics.

Impact

  • Security Bypass
  • Sensitive Data Theft
  • Financial Loss

Indicators of Compromise

IP

  • 185.10.68.52

  • 45.67.34.219

  • 77.91.100.237

  • 94.131.119.126

  • 185.216.68.121

MD5

  • a5073df86767ece0483da0316d66c15c

  • 2a0f523b9e52890105ec6fbccd207dcd

  • e0bf0aee954fd97457b28c9233253b0a

  • bbfbd1ece4f4aa43d0c68a32d92b17e5

  • a2ea38d11bde2a4483b86321960d6319

  • a12d326845a96a03867b2b70ca8f12ee

SHA-256

  • 05bf7db7debfeb56702ef1b421a336d8431c3f7334187d2ccd6ba34816a3fd5a

  • 08552f588eafceb0fa3117c99a0059fd06882a36cc162a01575926736d4a80eb

  • 0d6822c93cb78ad0d2ad34ba9057a6c9de8784f55caa6a8d8af77fed00f0da0a

  • 1786f16a50a4255df8aa32f2e21f2829b4f8aaba2ced3e4a7670846205b3ac70

  • 01e8536751080ea135c3ad7ae9187d06cdcccddfc89bc0d41ea4281eeb3e9fb4

  • 21ff46a6fc9173fcc147d7a5c603032c662c6c1f1b05c1bb1e30e20e168bb056

SHA1

  • d0661df945e8e36aa78472d4b60e181769a3f23b

  • f3a495225dc34cdeba579fb0152e4ccba2e0ad42

  • ce611811d9200613c1a1083e683faec5187a9280

  • 2ffdf164f6b8e2e403a86bd4d0f6260bf17fb154

  • 5240860d0db91bd8e13a150676a3ab1917312c59

  • 3b1264d2e156a09142847b6a18f70a3267c406e2

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Train employees to recognize phishing attempts, especially financial-themed lures.
  • Implement email filtering to block suspicious attachments and links.
  • Use DMARC, DKIM, and SPF records to prevent email spoofing.
  • Deploy endpoint detection and response (EDR) solutions to identify and block suspicious behavior.
  • Use application whitelisting to prevent unauthorized execution of files like rev archives.
  • Monitor process injection attempts, particularly into iexplore.exe or similar processes.
  • Restrict access to cloud storage services if not required for business operations.
  • Use web filtering to block access to known malicious URLs and domains.
  • Monitor outbound traffic for unusual connections to C2 IPs like 193.233.203.63 and ports 6211–6543.
  • Ensure regular backups of critical data and store them offline.
  • Keep antivirus and anti-malware solutions updated to detect evolving threats.
  • Encrypt sensitive files to limit data exposure in case of a breach.
  • Patch operating systems and software regularly to close security vulnerabilities.
  • Disable execution of scripts and macros from untrusted sources.
  • Implement network segmentation to limit lateral movement in case of an infection.
  • Set up centralized logging to detect early signs of compromise.
  • Conduct regular threat-hunting exercises to identify hidden threats.
  • Develop an incident response plan to contain and remediate infections quickly.