Cyber Threat Landscape: The Ongoing Allure of AllaKore RAT and Greedy Sponge
In recent cybersecurity developments, Mexican organizations continue to be the focal point of a prolonged attack cycle involving a revised version of AllaKore RAT alongside SystemBC. This persistent threat has been traced back to a financially motivated hacking collective known as Greedy Sponge, which has reportedly been operational since early 2021. Their attack patterns span a wide array of sectors, including retail, agriculture, public services, entertainment, manufacturing, transportation, commercial services, capital goods, and finance.
Understanding the Threat: AllaKore RAT and Its Modifications
Arctic Wolf Labs recently analyzed this insidious activity, revealing that the AllaKore RAT has undergone significant modifications aimed at exfiltrating sensitive banking credentials and authentication details back to a command-and-control (C2) server. The adjustments to this remote access trojan (RAT) enhance its capabilities, facilitating financial fraud that can impact numerous victims across varied industries.
Campaign Initiation: Phishing and Drive-By Downloads
The campaign associated with Greedy Sponge came to light following detailed investigations by the BlackBerry Research and Intelligence Team, recently integrated into Arctic Wolf. By January 2024, these findings highlighted the use of phishing schemes and drive-by compromises to disseminate malicious ZIP archives. Once these archives are executed, they unleash the potential of AllaKore RAT upon unsuspecting users.
Technical Breakdown: How They Operate
Arctic Wolf’s analysis exposed the intricacies of Greedy Sponge’s attack structure and noted that AllaKore RAT is not a standalone threat. It has the capacity to deliver additional payloads, including SystemBC, which converts compromised devices into SOCKS5 proxies, thereby allowing attackers to maintain communication with their C2 servers.
Furthermore, the hackers have refined their tactics, incorporating advanced geofencing methods as of mid-2024 to mitigate detection efforts. Earlier, geofencing occurred during the first stage, utilizing a .NET downloader embedded within a compromised Microsoft software installer (MSI) file. This tactic has now shifted to a server-side approach, effectively limiting access to final payloads.
The ZIP File Distribution Method
Greedy Sponge’s latest operational strategy still follows the pattern of spreading ZIP files, particularly one named "Actualiza_Policy_v01.zip." This file typically includes a seemingly legitimate Chrome proxy executable alongside a malicious MSI file engineered to install the AllaKore RAT. The MSI installer carries a .NET downloader which fetches and activates the RAT from an external server, specifically "manzisuape[.]com/amw". Moreover, it incorporates a PowerShell script designed for system cleanup to obscure its malicious activity.
Historical Context: AllaKore’s Use in Latin America
This is not the first episode involving AllaKore RAT in Latin American cyber threats. In May 2024, cybersecurity firms such as HarfangLab and Cisco Talos noted a variant named AllaSenha, also known as CarnavalHeist, targeting Brazilian banking sectors by local threat actors.
The Persistence and Pattern of Greedy Sponge
Characterizing Greedy Sponge’s operations, Arctic Wolf delineated the group’s persistence and determined focus on financial gain. Despite not being deemed highly advanced, their long-standing operations point toward measurable success—evidence that they have found effective techniques to exploit vulnerabilities within targeted institutions. Their enduring infrastructure models bolster this view.
Broader Implications in Cybersecurity
As eSentire reported, a newer phishing campaign in May 2025 utilized a unique crypter-as-a-service named Ghost Crypt to deploy a RAT known as PureRAT. This instance highlights the evolving nature of cyber threats, where social engineering is employed to siphon user data through seemingly legitimate interactions.
Emerging Technologies in Cybercrime
Ghost Crypt, introduced to cybercriminal forums in April 2025, is particularly noteworthy for its ability to evade Microsoft Defender Antivirus. It enables a range of malicious activities, including the deployment of various stealer and loader trojans that can extract and compromise systems comprehensively.
Furthermore, the cybersecurity landscape is witnessing renewed cycles of attacks spearheaded by remote access trojans such as Neptune RAT, which are now being distributed through JavaScript file lures. These tools can capture sensitive data and even deliver additional harmful payloads to unsuspecting victims.
Evolving Techniques in Exploitation
The recent emergence of malicious Inno Setup installers has also raised alarms across the cybersecurity community. These exploit setups enable the distribution of Hijack Loader (also known as IDAT Loader), which can subsequently deploy the RedLine information stealer. This method showcases a sophisticated exploitation technique that utilizes Inno Setup’s capabilities to manipulate and access malware.
The notable similarity in methodologies used by contemporary threats emphasizes the need for constant vigilance in cybersecurity defense. Effective countermeasures will rely on adapting to these evolving tactics while providing robust protection for vulnerable organizations.
