Dark Caracal is a threat group that has been active for a long time and goes back to at least 2012.

Most of the group’s activities are conducting spyware campaigns world wide.

They were first discovered in 2018 by the Electronic Frontier Foundation (EFF) as they found Dark Caracal’s campaign targeting Android users.

Background

The group is highly likely state-sponsored and linked to the General Directorate of General Security (GDGS) in Lebanon.

Technical evidence, such as server connections traced to a GDGS office in Beirut, suggests the potential involvement of the Lebanese government.

However, it remains uncertain whether this indicates GDGS responsibility GDGS only hired them.

Tracking Dark Caracal’s activity over the years led to Lebanon and Kazakhstan, which lead some to speculate Dark Caracal are a group of cyber-mercenaries governments use form time to time.

As of today, Dark Caracal remains active in various countries.

Discovery Campaign

As mentioned the group was discovered by the EFF, and their most documented campaign was primarily utilizes phishing attacks and, in some cases, physical access to victims’ systems to install malicious Android applications.

These applications mimic popular instant messaging platforms and grant the group full control over the compromised devices.

No evidence suggests that iPhone users were targeted, and none of the malicious applications were found on the Google Play Store. The stolen data includes documents, call records, text messages, audio recordings, secure messaging content, browsing history, contact information, photos, location data, and other personally identifiable information.

On that particular campaign, Dark Caracal used two main tools. For monitoring Android devices they used a tool named Pallas while a variant of the Bandook trojan was used to monitor Windows devices.

New Campaign

The group was witnessed using a new version it their Bandook malware.

The new variant seems to have more functionalities and is communicating with new command and control infrastructure goes back to Russia.

In their recent campaign, which was discovered on February 2023, between 600 and 800 victims were found infected by Dark Caracal, mostly in Central and South America.

Victimology

There are not too many documentations around the group’s activity. It seems that they have the talent to do their work very silently and without leaving any traces.

Over the years we did come into realization that the group is mostly being hired by governments, which also teach us a lot about their abilities.

Observing the campaigns that Dark Caracal was involved in it seems that they are targeting government high-profile individuals, journalists, government contractors and more. Overall it seems that the ones that hire the group mostly do it for political reasons.

Conclusions

Dark Caracal is an interesting group. They did not appeared a lot, but it seems that they are fairly sophisticated and silent.

My gamble here is not different from others, i do believe that Dark Caracal is a cyber mercenary group, maybe even a company that is in the field of offensive security that offers its services to countries that has some political interest in their spyware.

Thanks for reading!

To top