Dark Caracal

Description

(Lookout) Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information. We are releasing more than 90 indicators of compromise (IOC) associated with Dark Caracal including 11 different Android malware IOCs; 26 desktop malware IOCs across Windows, Mac, and Linux; and 60 domain/IP based IOCs.

Dark Caracal targets include individuals and entities that a nation state might typically attack, including governments, military targets, utilities, financial institutions, manufacturing companies, and defense contractors. We specifically uncovered data associated with military personnel, enterprises, medical professionals, activists, journalists, lawyers, and educational institutions during this investigation. Types of data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.

Names

Name	Name-Giver
Dark Caracal	Lookout
ATK 27	Thales
TAG-CT3	Recorded Future

Country

• Lebanon

Sponsor

State-sponsored, General Directorate of General Security (GDGS)

Motivation

• Information theft and espionage

First Seen

2007

Observed Sectors

• Defense
• Education
• Financial
• Government
• Healthcare
• Manufacturing
• Media
• Utilities
• activists, lawyers and journalists

Observed Countries

• China
• France
• Germany
• India
• Italy
• Jordan
• Lebanon
• Nepal
• Netherlands
• Pakistan
• Philippines
• Qatar
• Russia
• Saudi Arabia
• South Korea
• Switzerland
• Syria
• Thailand
• USA
• Venezuela
• Vietnam

Tools

• Bandook
• CrossRAT
• FinFisher
• Pallas

Operations

• 2012-01: Operation “Dark Caracal” https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
• 2020: During this past year, dozens of digitally signed variants of this once commodity malware started to reappear in the threat landscape, reigniting interest in this old malware family. https://research.checkpoint.com/2020/bandook-signed-delivered/
• 2024-06: The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat

Information

• https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
• https://www.dropbox.com/s/qjkcd56v3fhkjou/Whitepaper Dark Caracal Campaign.pdf?dl=0

Mitre Attack

• https://attack.mitre.org/groups/G0070/

Other Information

Uuid

fc5237e5-874a-4892-af91-f50550dd9588

Last Card Change

2025-04-21