In recent months, there has been a noticeable surge in credential theft and remote access attacks, with cybercriminal groups deploying malware such as AllaKore RAT, SystemBC, and PureRAT across Latin America—particularly targeting organizations in Mexico.

Greedy Sponge: A Financially-Driven Threat Actor

According to Arctic Wolf Labs, a group known as Greedy Sponge has been actively targeting Mexican entities since early 2021. Their motivation appears to be financial, and their victims span multiple industries—including banking, transportation, retail, agriculture, and public services.

A key tool in their arsenal is a heavily modified version of AllaKore RAT, capable of exfiltrating banking credentials and unique authentication tokens back to their command-and-control (C2) servers. This allows the attackers to engage in financial fraud and potentially escalate their access.

The attack chain typically starts with phishing emails or malicious websites, which deliver rigged ZIP files containing legitimate-looking software that secretly installs the malware.

Malware Delivery and Evasion Tactics

Once executed, the malware often downloads additional payloads like SystemBC, a SOCKS5 proxy tool designed to reroute communication between infected machines and attacker infrastructure. Over time, Greedy Sponge has evolved its tactics, implementing server-side geofencing to restrict payload access to victims located in Mexico—making analysis and detection more difficult for researchers outside the region.

A recent variation of their attack distributes ZIP files like “Actualiza_Policy_v01.zip”, which include:

• A legitimate Chrome proxy executable
• A trojanized Microsoft Installer (MSI) file that:
  • Deploys a .NET downloader
  • Connects to an external domain to download AllaKore RAT
  • Runs PowerShell scripts for cleanup and evasion

AllaKore RAT enables attackers to log keystrokes, take screenshots, upload/download files, and remotely control the infected system—providing persistent access to victim environments.

Not Just Mexico: Broader Regional Impact

This isn’t the first time AllaKore has been used in Latin America. In May 2024, researchers revealed a customized variant known as AllaSenha (aka CarnavalHeist) being used to target Brazilian banks, confirming the malware’s regional relevance.

Although Greedy Sponge lacks sophisticated techniques, their persistence and focused regional targeting suggest a successful and sustainable operation. Arctic Wolf highlights that the group has used the same infrastructure for over four years—a rare consistency in the threat landscape.

New Crypters and Payload Delivery: PureRAT and Hijack Loader

Another campaign identified in May 2025 by eSentire involved the PureRAT trojan, delivered using a new Crypter-as-a-Service called Ghost Crypt. Attackers used social engineering to impersonate a client and sent victims a malicious PDF linking to a Zoho WorkDrive folder with ZIP files.

What made this campaign stand out was the use of “process hypnosis injection”, where the malicious DLL, encrypted by Ghost Crypt, was injected into a legitimate Windows process (csc.exe), bypassing Microsoft Defender Antivirus.

Ghost Crypt was first spotted on cybercrime forums in April 2025 and supports a wide range of malware, including Lumma, Rhadamanthys, StealC, BlueLoader, DCRat, and XWorm.

Hijack Loader and RedLine Infostealer

Parallel to this, researchers from Splunk have identified campaigns using Hijack Loader (also known as IDAT Loader) in combination with RedLine, a well-known credential-stealing malware. The loaders are distributed via Inno Setup installers, which use embedded Pascal scripts to fetch and execute payloads. This method resembles tactics previously seen in D3F@ck Loader campaigns.

Final Thoughts

These recent campaigns reflect a disturbing trend: increased sophistication in malware delivery, deeper regional targeting, and a growing ecosystem of crimeware-as-a-service tools. Organizations—especially those operating in Mexico and Latin America—should remain vigilant, educate their employees about phishing, and ensure that endpoint protection and detection tools are up to date.

If you’re looking to strengthen your organization’s defenses, our team can help implement real-time observability, endpoint protection, and advanced threat detection solutions tailored to your needs.

Source: https://thehackernews.com/2025/07/credential-theft-and-remote-access.html