Mexican organizations are being targeted by threat actors to provide modified versions of Arakorerat and SystemBC as part of their long-term campaign.
This activity stems from a financially motivated hacking group called Greedy Sponge by Arctic Wolf Labs. It is believed to have been active since early 2021 and indiscriminately targets a wide range of sectors, including retail, agriculture, public sector, entertainment, manufacturing, transportation, commercial services, capital goods, and banking.
“The Arakorerat payload has been significantly altered so that threat actors can send back selected bank qualifications and unique credentials back to Command and Control (C2) servers, with the aim of carrying out financial fraud,” the cybersecurity company said in an analysis published last week.
Details of the campaign were first documented in January 2024 by the Blackberry Research and Intelligence team (now part of Arctic Wolf). This led the attack to adopt a phishing or drive-by compromise and ultimately distribute a booby trapped ZIP archive that would drive the deployment of Allakore Rat.
The attack chain analyzed by Arctic Wolf shows that Remote Access Trojan is designed to optionally deliver secondary payloads like SystemBC, a C-based malware that turns compromised Windows hosts into Socks5 proxy.
In addition to dropping powerful proxy tools, the greedy sponge has refined and updated its commercial to incorporate improved geography measures for mid-2024 to block analysis.
“Historically, geofence into the region into the Mexico region was done in the first phase via a .NET downloader contained in the Trojanized Microsoft Software Installer (MSI) file,” the company said. “This was moved to the server side to restrict access to the final payload.”
The latest iteration distributes a zip file (“altualiza_policy_v01.zip”) containing a Trojanized MSI file designed to remove aracholerats with legitimate Chrome proxy executables and keylog malware, and sticks to the same approach as before.
The MSI file is configured to deploy the .NET downloader responsible for obtaining and launching the remote access trojan from an external server (“Manzisuape”)[.]com/amw”), and PowerShell scripts for cleanup actions.
This is not the first time that aracole rats have been used in an attack targeting Latin America. In May 2024, Harfanglab and Cisco Talos revealed that Allakore Variant, known as Allasenha (aka Carnavalheist), was being used to select Brazilian banking institutions by the nation’s threat actors.
“We have been actively targeting Mexican entities for over four years, so we consider this threat actor to be sustainable, but we have not made any particular progress,” Arctic Wolf said. “Coupled with the strict economic motivations of this actor and their limited geographical targeting, it’s very distinctive.”
“And more, their operational longevity indicates the potential for operational success. That is, they find something that works for them and stick to it. The greedy sponge holds the same infrastructure model during the campaign.”
Campaign Attack Flow Using Ghost Crypt
The development adopted the new crypto as a service known as Ghost Crypt, providing and running Purerat, as esentire detailed its May 2025 phishing campaign.
“Initial access was obtained through social engineering, where threat actors impersonated new clients and sent PDFs containing links to Zoho WorkDrive folders with malicious ZIP files,” the Canadian company said. “The attackers also created a sense of urgency by calling the victim and requesting that the file be extracted and executed immediately.”
Further investigation into the attack chain revealed that malicious files contain Ghost Crypt-encrypted DLL payloads, and using a technique called process hypnosis injection, extracting and injecting Trojan horses (i.e. DLLs) into a legitimate Windows CSC.Exe process.
First promoted by the threat actor of the same name on April 15, 2025 at the Cybercrime Forum, Ghost Crypto offers the ability to bypass Microsoft’s defender antivirus and provide several steelers, loaders and Trojan horses, including Luma, Radmancy, Steel, Blue Radar, Pureeloader, Skull, Xworm.
This discovery follows the emergence of a new version of Neptune Rat (aka Masonrat), distributed via JavaScript file lures, allowing threat actors to extract sensitive data, take screenshots, take keystrokes, drop clipper malware, and download additional DLL payloads.
Over the past few months, cyberattacks have adopted a malicious Inno setup installer that acts as a conduit for hijacking loaders (also known as IDAT loaders), providing Redline Information Stealer.
The attack “utilises the Pascal Scripting feature of Inno Setup to retrieve and execute the next-stage payload of a compromised or target host,” the Splunk Threat Research team said. “This technique is very similar to the approach used by a well-known malicious Inno setup loader called the D3F@CK loader, and follows a similar infection pattern.”
Source link
