A phishing campaign targeting Spanish-speaking victims has been distributing a new remote access trojan (RAT) called Poco RAT since at least February 2024. These attacks, primarily aimed at the mining, manufacturing, hospitality, and utilities sectors, have been identified by cybersecurity firm Cofense.
“The majority of the custom code in the malware appears to be focused on anti-analysis, communicating with its command-and-control center (C2), and downloading and running files with a limited focus on monitoring or harvesting credentials,” Cofense reported.
The infection process begins with phishing emails containing finance-themed lures that direct recipients to click on an embedded URL. This URL links to a 7-Zip archive file hosted on Google Drive. Other methods include using HTML or PDF files attached to the emails or downloadable via another Google Drive link. Threat actors exploit legitimate services like Google Drive to bypass secure email gateways (SEGs).
Cybersecurity
The HTML files associated with Poco RAT include a link that, when clicked, downloads the archive containing the malware executable. Cofense noted that this tactic is likely more effective than directly providing a URL to download the malware, as SEGs would only check the HTML file, which appears legitimate.
Similarly, the PDF files contain a Google Drive link leading to Poco RAT. Once executed, the Delphi-based malware establishes persistence on the infected Windows host and contacts a C2 server to deliver additional payloads. The name Poco RAT is derived from its use of the POCO C++ Libraries.
The use of Delphi suggests the campaign targets Latin America, a region often attacked by banking trojans written in this programming language. This connection is further supported by the fact that the C2 server does not respond to requests from infected computers outside the region.
This development coincides with an increase in malware authors using QR codes embedded in PDF files to direct users to phishing pages designed to steal Microsoft 365 login credentials. Additionally, there have been social engineering campaigns using deceptive sites advertising popular software to deliver malware like RATs and information stealers, such as AsyncRAT and RisePro.
Phishing Campaign
Similar data theft attacks have targeted internet users in India with fake SMS messages claiming package delivery failures and prompting recipients to click on a link to update their details. This SMS phishing campaign, attributed to a Chinese-speaking group called Smishing Triad, uses compromised or purposefully registered Apple iCloud accounts (e.g., “fredyma514@hlh-web.de”) to send messages for financial fraud.
Resecurity noted that the actors registered domains impersonating India Post around June but were not actively using them until July. “The goal of this campaign is to steal massive amounts of personally identifiable information (PII) and payment data,” Resecurity said.
 called Poco RAT since at least February 2024. These attacks, primarily aimed at the mining, manufacturing, hospitality, and utilities sectors, have been identified by cybersecurity firm Cofense.){kind=link}