Mexican organizations are still being targeted by threat actors to deliver a modified version of AllaKore RAT and SystemBC as part of a long-running campaign.
The activity has been attributed by Arctic Wolf Labs to a financially motivated hacking group called Greedy Sponge. It's believed to be active since early 2021, indiscriminately targeting a wide range of sectors, such as retail, agriculture, public sector, entertainment, manufacturing, transportation, commercial services, capital goods, and banking.
"The AllaKore RAT payload has been heavily modified to enable the threat actors to send select banking credentials and unique authentication information back to their command-and-control (C2) server, for the purpose of conducting financial fraud," the cybersecurity company said in an analysis published last week.
Details of the campaign were first documented by the BlackBerry Research and Intelligence Team (which is now part of Arctic Wolf) in January 2024, with the attacks employing phishing or drive-by compromises to distribute booby-trapped ZIP archives that ultimately facilitate the deployment of AllaKore RAT.
Attack chains analyzed by Arctic Wolf show that the remote access trojan is designed to optionally deliver secondary payloads like SystemBC, a C-based malware that turns compromised Windows hosts into SOCKS5 proxies to allow attackers to communicate with their C2 servers.
Besides dropping potent proxy tools, Greedy Sponge has also refined and updated its tradecraft to incorporate improved geofencing measures as of mid-2024 in an attempt to thwart analysis.
"Historically, geofencing to the Mexican region took place in the first stage, via a .NET downloader included in the trojanized Microsoft software installer (MSI) file," the company said. "This has now been moved server-side to restrict access to the final payload."
The latest iteration sticks to the same approach as before, distributing ZIP files ("Actualiza_Policy_v01.zip") containing a legitimate Chrome proxy executable and a trojanized MSI file that's engineered to drop AllaKore RAT, a malware with capabilities for keylogging, screenshot capture, file download/upload, and remote control.
The MSI file is configured to deploy a .NET downloader, which is responsible for retrieving and launching the remote access trojan from an external server ("manzisuape[.]com/amw"), and a PowerShell script for cleanup actions.
This is not the first time AllaKore RAT has been used in attacks targeting Latin America. In May 2024, HarfangLab and Cisco Talos revealed that an AllaKore variant known as AllaSenha (aka CarnavalHeist) has been used to single out Brazilian banking institutions by threat actors from the country.
"Having spent those four years-plus actively targeting Mexican entities, we would deem this threat actor persistent, but not particularly advanced," Arctic Wolf said. "The strictly financial motivation of this actor coupled with their limited geographic targeting is highly distinctive."
"Additionally, their operational longevity points to probable operational success – meaning they've found something that works for them, and they are sticking with it. Greedy Sponge has held the same infrastructure models for the duration of their campaigns."
 |
| Attack Flow of Campaign Using Ghost Crypt |
The development comes as eSentire detailed a May 2025 phishing campaign that employed a new crypter-as-a-service offering known as Ghost Crypt to deliver and run PureRAT.
"Initial access was gained through social engineering, where the threat actor impersonated a new client and sent a PDF containing a link to a Zoho WorkDrive folder containing malicious zip files," the Canadian company noted. "The attacker also created a sense of urgency by calling the victim and requesting that they extract and execute the file immediately."
Further examination of the attack chain has revealed that the malicious file contains a DLL payload that's encrypted with Ghost Crypt, which then extracts and injects the trojan (i.e., the DLL) into a legitimate Windows csc.exe process using a technique called process hypnosis injection.
Ghost Crypt, which was first advertised by an eponymous threat actor on cybercrime forums on April 15, 2025, offers the ability to bypass Microsoft Defender Antivirus, and serve several stealers, loaders, and trojans like Lumma, Rhadmanthys, StealC, BlueLoader, PureLoader, DCRat, and XWorm, among others.
The discovery also follows the emergence of a new version of Neptune RAT (aka MasonRAT) that's distributed via JavaScript file lures, allowing the threat actors to extract sensitive data, take screenshots, log keystrokes, drop clipper malware, and download additional DLL payloads.
In recent months, cyber attacks have employed malicious Inno Setup installers that serve as a conduit for Hijack Loader (aka IDAT Loader), which then delivers the RedLine information stealer.
The attack "leverages Inno Setup's Pascal scripting capabilities to retrieve and execute the next-stage payload in a compromised or targeted host," the Splunk Threat Research Team said. "This technique closely resembles the approach used by a well-known malicious Inno Setup loader called D3F@ck Loader, which follows a similar infection pattern."
