Dark Caracal (G0070) Threat Profile: Mobile-Focused Espionage
- Suspected Origin
- Lebanon
- Motivation
- Espionage, Information Theft, Targeted Surveillance, Financial Gain
- Aliases
- None documented
- Target Sectors
- Government, Military, Financial, Manufacturing, Defense Contractors, Healthcare, Education, Utilities, Activists, Journalists, Lawyers
- Associated Malware
- Pallas, Bandook, CrossRAT, FinFisher, Poco RAT
Overview
Dark Caracal (G0070) is a persistent threat group that has been actively conducting espionage operations since at least 2012. This group is widely attributed to entities affiliated with the Lebanese General Directorate of General Security (GDGS) and is believed to operate out of a building belonging to the GDGS in Beirut. Unlike many advanced persistent threat (APT) groups that focus on compromising entire networks or organizations, Dark Caracal primarily targets individuals through mobile surveillance, aiming to collect long-term intelligence.
The group’s strategic motivation is predominantly espionage, involving the collection of sensitive personal, political, and organizational data from its targets. In recent campaigns, researchers have also noted potential financial motives driving some of their operations. Dark Caracal’s target profile is broad, encompassing individuals and entities typically of interest to a nation-state. This includes government officials, military personnel, journalists, activists, lawyers, medical professionals, and individuals within educational institutions, as well as various sectors such as defense, finance, manufacturing, and utilities. They have compromised thousands of victims across more than 21 countries, including those in North America, Europe, the Middle East, and Asia.
Despite being characterized as less technically sophisticated compared to some major nation-state actors, Dark Caracal has proven to be disturbingly effective. Their success is attributed to a high degree of persistence and an adept use of social engineering to exploit human trust and weak user security practices on mobile devices, rather than relying on advanced malware or zero-day exploits.
Tactics & Techniques
Dark Caracal’s tactics, techniques, and procedures (TTPs) consistently leverage social engineering as their primary initial access vector. They extensively use phishing, particularly spearphishing messages delivered via social media platforms like Facebook and popular messaging applications such as WhatsApp, to lure victims. These messages often direct targets to fake app store-like pages where trojanized Android applications, impersonating legitimate messaging apps like Signal and WhatsApp, await download. In some instances, the group has reportedly gained physical access to victims’ devices to install malicious applications directly.
Once malicious applications are installed, Dark Caracal malware typically executes under the permissions granted during installation, circumventing the need for privilege escalation. For persistence on Windows systems, Dark Caracal’s variant of Bandook has been observed adding a registry key to HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run. Mobile malware also employs background processes that can recreate after a restart, making the malware appear as legitimate applications.
The group’s operations are designed for extensive data exfiltration. They are capable of stealing a wide range of sensitive information, including documents, call records, audio recordings, secure messaging client content, contact information, text messages (including two-factor authentication codes), photos, browsing history, location data, enterprise intellectual property, and personally identifiable information. To maintain stealth, they have used blurred decoy documents, link-shortening services, and legitimate cloud storage for payload distribution, making detection harder. Network communication for their implants often uses standard HTTP, with Bandook variants communicating over TCP ports using Base64 encoded HTTP payloads.
A notable operational blunder that led to their public exposure was leaving command-and-control (C2) servers exposed, some utilizing Windows and XAMPP software, which provided researchers with a unique digital footprint and insights into their operations, including real-time logs of infected machines.
Notable Campaigns
Dark Caracal’s activity first came to widespread public attention in January 2018 through a joint report by Lookout and the Electronic Frontier Foundation (EFF). This report unveiled a global mobile espionage campaign that had been operating for years, collecting hundreds of gigabytes of data from thousands of victims across 21+ countries. The investigation linked some of Dark Caracal’s infrastructure to “Operation Manul,” an earlier multi-platform espionage campaign targeting journalists, activists, lawyers, and dissidents critical of the Kazakh government. While infrastructure was shared, the specific targeting of Dark Caracal campaigns often diverged, suggesting shared resources or management. The 2018 report specifically detailed how the group was believed to be administered from a building of the Lebanese General Security Directorate in Beirut, based on technical evidence like Wi-Fi networks and IP addresses.
The group has continued its activities following its public exposure. A 2023 EFF report uncovered a new Dark Caracal campaign, active since March 2022, primarily focused on Latin America. This campaign involved hundreds of infections across over a dozen countries, with a significant concentration in the Dominican Republic and Venezuela. This regional focus has been reiterated in later reports, which suggest a shift towards Latin American corporate networks, particularly in the mining, manufacturing, and hospitality sectors, with potential financial motivations.
Associated Malware & Tools
Dark Caracal employs a diverse arsenal of malware and tools, often custom-developed, or utilizing common open-source components and commercial spyware.
- Pallas: This is Dark Caracal’s custom-developed mobile surveillanceware, specifically targeting Android devices. Pallas is distributed via trojanized applications and grants attackers extensive control over a compromised device. Its capabilities include taking photographs, recording video and audio, stealing call records, text messages, contacts, secure messaging client content, browsing history, location data, and other files.
- Bandook RAT: A Windows-based Remote Access Trojan (RAT) that is considered a signature malware of Dark Caracal. Bandook is used for credential theft and data exfiltration from desktop systems. Functionality includes turning on webcams, adding/removing files, controlling the mouse, recording the screen, and starting remote desktop sessions. Bandook variants used by Dark Caracal are often packed with UPX and employ Base64 encoding and encryption for obfuscation.
- CrossRAT: Lookout and EFF identified this previously unknown, multi-platform tool capable of targeting Windows, OSX, and Linux systems used by Dark Caracal.
- FinFisher: Dark Caracal has also been observed utilizing FinFisher, a commercial “lawful intercept” tool typically sold to governments.
- Poco RAT: More recently, since 2022/2024, researchers have identified a new credential-harvesting and remote access trojan named Poco RAT in campaigns linked to Dark Caracal. Poco RAT shares distinct similarities with Bandook and its distribution has notably increased as Bandook detections have decreased, suggesting it may be a newer replacement or addition to the group’s malware arsenal. Poco RAT offers a full range of espionage features, including screenshot capture, file uploads, command execution, and system process manipulation.
Current Status
Dark Caracal remains an active threat actor. Following its public exposure in 2018, the group continued its operational activities, making some infrastructure changes and minor improvements to its operational security practices, though many core methods persist. Recent reporting indicates ongoing campaigns, particularly with a renewed focus on Latin America since at least 2022.
The observed shift towards newer malware like Poco RAT demonstrates the group’s continued evolution in tooling, even while their attack methodology, heavily reliant on social engineering and exploiting human trust, has largely remained consistent. Despite documented instances of operational blunders, Dark Caracal continues to be “disturbingly effective,” successfully infecting thousands of victims and exfiltrating vast amounts of sensitive data. Their continued activity underscores the ongoing threat posed by actors who, while not always employing cutting-edge exploits, are persistent and skilled at manipulating human factors to achieve their espionage objectives.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call