Mexican organizations are nonetheless being focused by menace actors to ship a modified model of AllaKore RAT and SystemBC as a part of a long-running marketing campaign.
The exercise has been attributed by Arctic Wolf Labs to a financially motivated hacking group referred to as Grasping Sponge. It is believed to be lively since early 2021, indiscriminately concentrating on a variety of sectors, comparable to retail, agriculture, public sector, leisure, manufacturing, transportation, industrial companies, capital items, and banking.
“The AllaKore RAT payload has been closely modified to allow the menace actors to ship choose banking credentials and distinctive authentication info again to their command-and-control (C2) server, for the aim of conducting monetary fraud,” the cybersecurity firm stated in an evaluation printed final week.
Particulars of the marketing campaign had been first documented by the BlackBerry Analysis and Intelligence Crew (which is now a part of Arctic Wolf) in January 2024, with the assaults using phishing or drive-by compromises to distribute booby-trapped ZIP archives that finally facilitate the deployment of AllaKore RAT.
Assault chains analyzed by Arctic Wolf present that the distant entry trojan is designed to optionally ship secondary payloads like SystemBC, a C-based malware that turns compromised Home windows hosts into SOCKS5 proxies to permit attackers to speak with their C2 servers.
In addition to dropping potent proxy instruments, Grasping Sponge has additionally refined and up to date its tradecraft to include improved geofencing measures as of mid-2024 in an try and thwart evaluation.
“Traditionally, geofencing to the Mexican area occurred within the first stage, through a .NET downloader included within the trojanized Microsoft software program installer (MSI) file,” the corporate stated. “This has now been moved server-side to limit entry to the ultimate payload.”
The most recent iteration sticks to the identical strategy as earlier than, distributing ZIP recordsdata (“Actualiza_Policy_v01.zip”) containing a reputable Chrome proxy executable and a trojanized MSI file that is engineered to drop AllaKore RAT, a malware with capabilities for keylogging, screenshot seize, file obtain/add, and distant management.
The MSI file is configured to deploy a .NET downloader, which is liable for retrieving and launching the distant entry trojan from an exterior server (“manzisuape[.]com/amw”), and a PowerShell script for cleanup actions.
This isn’t the primary time AllaKore RAT has been utilized in assaults concentrating on Latin America. In Could 2024, HarfangLab and Cisco Talos revealed that an AllaKore variant generally known as AllaSenha (aka CarnavalHeist) has been used to single out Brazilian banking establishments by menace actors from the nation.
“Having spent these 4 years-plus actively concentrating on Mexican entities, we’d deem this menace actor persistent, however not notably superior,” Arctic Wolf stated. “The strictly monetary motivation of this actor coupled with their restricted geographic concentrating on is extremely distinctive.”
“Moreover, their operational longevity factors to possible operational success – which means they’ve discovered one thing that works for them, and they’re sticking with it. Grasping Sponge has held the identical infrastructure fashions during their campaigns.”
Assault Movement of Marketing campaign Utilizing Ghost Crypt
The event comes as eSentire detailed a Could 2025 phishing marketing campaign that employed a brand new crypter-as-a-service providing generally known as Ghost Crypt to ship and run PureRAT.
“Preliminary entry was gained by means of social engineering, the place the menace actor impersonated a brand new shopper and despatched a PDF containing a hyperlink to a Zoho WorkDrive folder containing malicious zip recordsdata,” the Canadian firm famous. “The attacker additionally created a way of urgency by calling the sufferer and requesting that they extract and execute the file instantly.”
Additional examination of the assault chain has revealed that the malicious file incorporates a DLL payload that is encrypted with Ghost Crypt, which then extracts and injects the trojan (i.e., the DLL) right into a reputable Home windows csc.exe course of utilizing a method referred to as course of hypnosis injection.
Ghost Crypt, which was first marketed by an eponymous menace actor on cybercrime boards on April 15, 2025, affords the flexibility to bypass Microsoft Defender Antivirus, and serve a number of stealers, loaders, and trojans like Lumma, Rhadmanthys, StealC, BlueLoader, PureLoader, DCRat, and XWorm, amongst others.
The invention additionally follows the emergence of a brand new model of Neptune RAT (aka MasonRAT) that is distributed through JavaScript file lures, permitting the menace actors to extract delicate information, take screenshots, log keystrokes, drop clipper malware, and obtain further DLL payloads.
In latest months, cyber assaults have employed malicious Inno Setup installers that function a conduit for Hijack Loader (aka IDAT Loader), which then delivers the RedLine info stealer.
The assault “leverages Inno Setup’s Pascal scripting capabilities to retrieve and execute the next-stage payload in a compromised or focused host,” the Splunk Menace Analysis Crew stated. “This method carefully resembles the strategy utilized by a widely known malicious Inno Setup loader referred to as D3F@ck Loader, which follows the same an infection sample.”
