ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Dark Caracal

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Dark Caracal

NamesDark Caracal (Lookout)
ATK 27 (Thales)
TAG-CT3 (Recorded Future)
CountryLebanon Lebanon
SponsorState-sponsored, General Directorate of General Security (GDGS)
MotivationInformation theft and espionage
First seen2007
Description(Lookout) Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information. We are releasing more than 90 indicators of compromise (IOC) associated with Dark Caracal including 11 different Android malware IOCs; 26 desktop malware IOCs across Windows, Mac, and Linux; and 60 domain/IP based IOCs.

Dark Caracal targets include individuals and entities that a nation state might typically attack, including governments, military targets, utilities, financial institutions, manufacturing companies, and defense contractors. We specifically uncovered data associated with military personnel, enterprises, medical professionals, activists, journalists, lawyers, and educational institutions during this investigation. Types of data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.
ObservedSectors: Defense, Education, Financial, Government, Healthcare, Manufacturing, Media, Utilities and activists, lawyers and journalists.
Countries: China, France, Germany, India, Italy, Jordan, Lebanon, Nepal, Netherlands, Pakistan, Philippines, Qatar, Russia, Saudi Arabia, South Korea, Switzerland, Syria, Thailand, USA, Venezuela, Vietnam.
Tools usedBandook, CrossRAT, FinFisher, Pallas.
Operations performedJan 2012Operation “Dark Caracal”
<https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf>
2020During this past year, dozens of digitally signed variants of this once commodity malware started to reappear in the threat landscape, reigniting interest in this old malware family.
<https://research.checkpoint.com/2020/bandook-signed-delivered/>
Information<https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf>
<https://www.dropbox.com/s/qjkcd56v3fhkjou/Whitepaper Dark Caracal Campaign.pdf?dl=0>
MITRE ATT&CK<https://attack.mitre.org/groups/G0070/>

Last change to this card: 09 December 2021

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]