Since at least February 2024, Spanish-language victims have been the target of an email phishing campaign delivering a new remote access trojan (RAT) known as Poco RAT.

According to cybersecurity company Cofense, the attacks are mostly targeting the mining, manufacturing, hospitality, and utility industries.

“The majority of the custom code in the malware appears to be focused on anti-analysis, communicating with its command-and-control center (C2), and downloading and running files with a limited focus on monitoring or harvesting credentials,” the researchers reported.

Infection chains begin with phishing mails including financial lures that deceive recipients into clicking on an embedded URL pointing to a 7-Zip archive file housed on Google Drive.

You might be interested in: Managed Detection and Response (MDR): What is it?

Other techniques noticed include attaching HTML or PDF files directly to emails or downloading them via an embedded Google Drive link. Threat actors’ misuse of legitimate services is not a new phenomenon, as it helps them to avoid secure email gateways (SEGs).

The HTML files that spread Poco RAT, in turn, contain a link that, when clicked, downloads the archive containing the malware executable.

“This tactic would likely be more effective than simply providing a URL to directly download the malware as any SEGs that would explore the embedded URL would only download and check the HTML file, which would appear to be legitimate,” according to Cofense.

The PDF files are no different, since they also provide a Google Drive link to Poco RAT.

Once launched, the Delphi-based malware creates persistence on the infected Windows host and communicates with a C2 server to distribute more payloads. Its moniker comes from its use of the POCO C++ Libraries.

The usage of Delphi indicates that the campaign’s undisclosed threat actors are focusing on Latin America, a region previously targeted by banking trojans written in this programming language.

This connection is further supported by the fact that the C2 server does not respond to queries from infected computers not geolocated in the region.

This development comes as malware authors increasingly use QR codes included in PDF files to lure users into visiting phishing pages aimed at stealing Microsoft 365 login credentials.

It also monitors social engineering attempts using fraudulent websites promoting popular products to distribute malware such as RATs and information thieves like AsyncRAT and RisePro.

Similar data theft operations have targeted internet users in India, with fake SMS messages claiming package delivery problems and urging recipients to click on a provided link to update their information.

The SMS phishing effort has been traced to Smishing Triad, a Chinese-speaking threat actor with a history of sending smishing messages from hijacked or purposely registered Apple iCloud accounts (e.g., “[email protected]”) to commit financial fraud.

“The actors registered domain names impersonating the India Post around June but were not actively using them, likely preparing for large-scale activity, which became visible by July,” Resecurity told reporters. “The goal of this campaign is to steal massive amounts of personally identifiable information (PII) and payment data.”