Skip to content
July 5, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Watchtower
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Malware
  • CSE CybSec ZLAB releases Malware Analysis Report: Dark Caracal APT
  • Malware

CSE CybSec ZLAB releases Malware Analysis Report: Dark Caracal APT

Do Son February 14, 2018 3 minutes read
Dark Caracal
Add as a preferred
source on Google

According to securityaffairs February 12, researchers from CSE’s CybSec ZLAB lab analyzed a sample set of Pallas malware families used by the Lebanese APT espionage team Dark Caracal in hacking operations. The analysis pointed out that the malware was able to collect a large amount of sensitive data for the target application and send it to the C&C server via an encrypted URL that was decrypted at a run time.

Actually, Dark Caracal has been active since 2012, but until recently it was found to be a formidable threat in the online arena.

According to previous reports, a joint investigation by the Electronic Frontier Foundation Frontier Foundation and the security company Lookout found that the Dark Caracal APT, a surveillance and espionage organization associated with the Lebanese General Security Agency, stole large amounts of data from Android phones and Windows PCs around the world and recently hackers Dark Caracal spyware platform sold to some countries to monitor. According to the researchers, this espionage has spread malware that contains trojans through the manufacture of large numbers of fake Android applications and using social projects such as phishing email or fake social network information, which has involved 21 countries from the past 21 countries Journalists, military personnel, companies and other sensitive information (SMS, call history, archives, etc.).

Dark Caracal Impact Area

Researchers said one of Dark Caracal’s most powerful advertising campaigns, which began in the first months of last year, uses a series of trojanized Android applications designed to steal sensitive data from victims’ mobile devices. It is reported that the Trojans injected into these applications are Pallas researchers have found.

So how do attackers step by step to steal data?

Attackers use “repackaging” technology to generate their malware samples by starting with a legitimate application and injecting malicious code before rebuilding the apk. In general, the target application belongs to a specific category, such as Whatsapp, Telegram, Primo), secure chat app (Signal, Threema), or software related to secure navigation (Orbot, Psiphon).

After the malware was made, attackers used social engineering techniques to trick victims into installing malware such as using SMS, Facebook messages, or Facebook posts to trick victimized users into downloading new and popular applications through a specific web address. Currently, these trojanized applications Are hosted on the same URL.

Pictured – Dark Caracal Repository – Malicious site

When a user’s device is infected, an attacker uses a malicious application to collect large amounts of data and send it to the C&C server through an encrypted URL that is decrypted at runtime.

The following is the specific function of the Trojan:

– read sms

– send text messages

– Record the call

– Read the call history

– Retrieve account and contact information

– Collect all stored media and send them to C2C

– Download and install additional malware

– Display a phishing window to attempt to steal credentials

– Retrieve a list of all devices connected to the same network

Read more

ZLAB Malware Analysis Report: Dark Caracal APT – The Pallas Family

Source: SecurityAffairs 

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • Matanbuchus 3.0 Downloader Pivots to Ransomware, Using Protobufs and QuickAssist for Stealth Access
  • Check Point released February 2018’s Top 10 ‘Most Wanted’ Malware
  • HijackLoader Evolves: New Modules Bring Stealth, Persistence, and Advanced VM Evasion
  • Sophisticated Cyber Espionage: Earth Baxia Uses CVE-2024-36401 and Cobalt Strike to Infiltrate APAC
  • APT37 NarwhalRAT Malware: A Python Backdoor Threat

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Dark Caracal

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2024-14037CVSS 9.8
    Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2026-8451CVSS 8.8
    Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread if NetScaler ADC or NetScaler Gateway is configured...
    Admin intel📅 Updated: Jul 2, 2026
  • CVE-2026-8037CVSS 9.6
    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to...
    Admin intel📅 Updated: Jul 1, 2026
  • CVE-2026-45659CVSS 8.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 1, 2026
  • CVE-2026-48558CVSS 10.0
    SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication...
    Admin intelCISA KEV📅 Added to KEV: Jun 29, 2026📅 Updated: Jun 29, 2026
  • CVE-2026-46817CVSS 9.8
    Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected...
    Admin intel📅 Updated: Jun 29, 2026
  • CVE-2026-28496CVSS 9.4
    FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template...
    Admin intel📅 Updated: Jun 25, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-58426CVSS 9.6
    Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read...
  • CVE-2026-58289CVSS 9.0
    Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based)...
  • CVE-2026-22874CVSS 9.6
    Gitea versions up to and including 1.26.2 have incomplete SSRF protection in...
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by...
  • CVE-2026-4321CVSS 9.8
    Improper neutralization of special elements used in an SQL command ('SQL injection')...
  • CVE-2026-14544CVSS 9.8
    A flaw was found in HPLIP (HP Linux Imaging and Printing Software)....
  • CVE-2026-9725CVSS 9.1
    The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress...
  • CVE-2026-13768CVSS 10.0
    Gardyn devices expose a privileged iothubowner key. Access to this key will...
  • CVE-2026-57100CVSS 9.9
    Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an...
  • CVE-2026-45499CVSS 9.9
    Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • Disclaimer
    • Privacy Policy
    • DMCA NOTICE
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.