← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC.
WHITE PetrP.73 2025-07-20 Modified: 2025-08-19
102
IOCs
HIGH VOLUME
Arctic Wolf Labs has identified a financially motivated threat group dubbed Greedy Sponge, which has been active since early 2021, primarily targeting Mexican organizations. This group employs modified versions of the AllaKore RAT and SystemBC malware, focusing on financial fraud. The AllaKore RAT has been significantly altered to capture banking credentials and unique authentication data, enabling the attackers to exfiltrate sensitive information to their command-and-control (C2) server. The recent campaigns include deploying custom installers that contain the modified RAT and utilizing SystemBC as a secondary tool for further exploitation. Greedy Sponge's operational tactics have evolved, particularly since mid-2024, with enhancements in geofencing methods that restrict their activities to the Mexican region. Previously, geofencing checks were performed at the initial stage using a .NET downloader, but these checks have now been moved server-side to complicate detection efforts.
greedy spongeallakore ratarctic wolfmexicoallakore c2systembcallakoredefense evasionlabschromewolfspongebobinstalldelphicylancefebruaryinstallerpowershellexecution
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (102)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2025-20337 2025-07-20
CVE CVE-2025-5777 2025-07-20
FileHash-MD5 058bde7b3385b70d59120b24390377af MD5 of 4bf4bcf1cc45d9e50efbd184aad827e2c81f900a53961cf4fbea90fa31ca7549 2025-07-20
FileHash-MD5 09096930751d28d388d3e0de003bcb7b MD5 of e4a6be2fb70603f1545641240680b44e21b5601e8016c0d144711423eef9778e 2025-07-20
FileHash-MD5 35932f5856dbf8ba51e048b3b2bb2d7b 2025-07-20
FileHash-MD5 42300099a726353abfddbfdd5773de83 2025-07-20
FileHash-MD5 47ead282cd7c6a667d9b4cc9b0c6935e MD5 of 65fc84ffd9be05720b700292b7dbc0ac8afa7faaadf6fcd4485ce34785ba0932 2025-07-20
FileHash-MD5 59c6ae6bbe3d048d267d4900c9585828 MD5 of a8abffa5d7259a94951d96ad3d60e8910927b5d0697f8edece2e295154e00832 2025-07-20
FileHash-MD5 63a5bc24837a392bc56de93b28c7d011 MD5 of c9319b60fdde49e0b7cc4cdad7525643456420c4532a6cc2ae38672842eb48ed 2025-07-20
FileHash-MD5 750a33531763724e8db051750a08cf99 MD5 of 8634988a90e69d8e657f72cf5f599176be5854448e0544abc42eb49b0c245f0c 2025-07-20
FileHash-MD5 aa8b32b21dcf44a332f9c9d13af3cd7d MD5 of 3b0772608844821555bb90e0218972f89f421dad9b1f7bd1918de26a929e998f 2025-07-20
FileHash-MD5 ac2fa680544b1b1e452753b78b460a59 2025-07-20
FileHash-MD5 ac69851a5144e0eb28923ca2e3b8cbe2 MD5 of d8343068669d8fbb52b0af87bd3d4f3579d76192d021b37b6fd236b0973e4a5d 2025-07-20
FileHash-MD5 b90a102fccedad57b06dc8fb6a58895b MD5 of 32ef3a0da762bc88afb876537809350a885bbbc3ec59b1838e9e9ccc0a04b081 2025-07-20
FileHash-MD5 bd3782580c0ddbda2288b2d5d5a72258 MD5 of f5adef8c202e62125be49f748ed3b30b34e0fb2c9539c805dd96a75a26c7ddc4 2025-07-20
FileHash-MD5 df9b2ff8bd9164ae0f2c802c555d2c4f MD5 of f76b456cf2af1382325c704bf70b5168d28d30da0f3d0a5207901277e01db395 2025-07-20
FileHash-MD5 e78fa70b0e38c7c8c29048cebba2dd74 MD5 of bd299b5e3d7645b10286410f98f6ec79d803ce2b977c61e49f2dc26285823c99 2025-07-20
FileHash-SHA1 25bab55bf08f9a2a3060bbd5a3313816c6d0ad8c SHA1 of d8343068669d8fbb52b0af87bd3d4f3579d76192d021b37b6fd236b0973e4a5d 2025-07-20
FileHash-SHA1 379a4288dc5dd66bc1d9b50d7008eca1e71b8fdf SHA1 of bd299b5e3d7645b10286410f98f6ec79d803ce2b977c61e49f2dc26285823c99 2025-07-20
FileHash-SHA1 4168a649e09e85aab7c07de99a53c24990562d80 SHA1 of a8abffa5d7259a94951d96ad3d60e8910927b5d0697f8edece2e295154e00832 2025-07-20
FileHash-SHA1 4fb30655039867989a5db2a2d56e41950b41761c SHA1 of 4bf4bcf1cc45d9e50efbd184aad827e2c81f900a53961cf4fbea90fa31ca7549 2025-07-20
FileHash-SHA1 57ea5bc924cd3eb727cde351cabe608f62517872 SHA1 of 65fc84ffd9be05720b700292b7dbc0ac8afa7faaadf6fcd4485ce34785ba0932 2025-07-20
FileHash-SHA1 632504b6f0b8ce84f044d794520e5afb7f0842f9 SHA1 of f5adef8c202e62125be49f748ed3b30b34e0fb2c9539c805dd96a75a26c7ddc4 2025-07-20
FileHash-SHA1 915592d3a7282f484a1bb1c87524241572e0ded7 SHA1 of 3b0772608844821555bb90e0218972f89f421dad9b1f7bd1918de26a929e998f 2025-07-20
FileHash-SHA1 976801a4e902758d5c96f117037af0e03c59ccdf SHA1 of 32ef3a0da762bc88afb876537809350a885bbbc3ec59b1838e9e9ccc0a04b081 2025-07-20
FileHash-SHA1 b4ca022d0fbffd82dab3c77bbe24a3a961063d38 SHA1 of 8634988a90e69d8e657f72cf5f599176be5854448e0544abc42eb49b0c245f0c 2025-07-20
FileHash-SHA1 c7d5ce5e35a44ec2f09f74a3f3a0be742f23dba7 SHA1 of e4a6be2fb70603f1545641240680b44e21b5601e8016c0d144711423eef9778e 2025-07-20
FileHash-SHA1 d6fd1182628b2ba45acedb67b8b318b8fbae6928 SHA1 of c9319b60fdde49e0b7cc4cdad7525643456420c4532a6cc2ae38672842eb48ed 2025-07-20
FileHash-SHA1 e3c6532c3baf9046fe57f7971cdaeff77c6dbe83 SHA1 of f76b456cf2af1382325c704bf70b5168d28d30da0f3d0a5207901277e01db395 2025-07-20
FileHash-SHA256 0dbaf8970c0620e1b5902fd87c1cd0e72e917c45add84a024338c0481b5e161c 2025-07-20
FileHash-SHA256 12557dcf9c9a609521d7a2cc84a7e6fb95a93957aed6bda0f9644e96dfbbc180 2025-07-20
FileHash-SHA256 20fe630a63dd1741ec4ade9fe05b2e7e57208f776d5e20bbf0a012fea96ad0c0 2025-07-20
FileHash-SHA256 21614973732d4012889da2e1538b20fd1c0aefdb1d1452d79fd9a1bc06d569da 2025-07-20
FileHash-SHA256 32ef3a0da762bc88afb876537809350a885bbbc3ec59b1838e9e9ccc0a04b081 2025-07-20
FileHash-SHA256 34e347d1c9ce80b4e2b77f2de5aa7b4d98084704896bd169338c6d4b440e16c3 2025-07-20
FileHash-SHA256 3729396b11c69c60f9d096ce726f4cc5b4ed2054d89f7d195e998456de7fb229 2025-07-20
FileHash-SHA256 3b0772608844821555bb90e0218972f89f421dad9b1f7bd1918de26a929e998f 2025-07-20
FileHash-SHA256 4bf4bcf1cc45d9e50efbd184aad827e2c81f900a53961cf4fbea90fa31ca7549 2025-07-20
FileHash-SHA256 4f08865b1bdcc0e27e34bbd722279de661c92ce9aafb9fced1b5de1275887486 2025-07-20
FileHash-SHA256 50e5cd438024b34ba638e170f6e4595b0361dedb0ea925d06d06f68988468ddf 2025-07-20
FileHash-SHA256 53b85d1b7127c365a4ebae5f22ed479cd5d7e9efc716fb9df68ebdd18551834a 2025-07-20
FileHash-SHA256 544091acb5807aaac32ca4843bb85c4aa7ce0ab0acda296efa1a23fe3c181b7e 2025-07-20
FileHash-SHA256 5b51d1682cbd40cc6eca23333554ab16b7ed4bbd727712b3a00b07c24e629863 2025-07-20
FileHash-SHA256 5d16547900119112c12a755e099bed1fafe1890869df4db297a6a21ec40185b0 2025-07-20
FileHash-SHA256 65fc84ffd9be05720b700292b7dbc0ac8afa7faaadf6fcd4485ce34785ba0932 2025-07-20
FileHash-SHA256 681b15a43925e02d7f4f0c9e554e8d73e230931ce6634f49dd5b204afd03d20c 2025-07-20
FileHash-SHA256 73a46441a7135296d1070f5905a5cb6453ea8511a99a3b9c76060069aa7abcef 2025-07-20
FileHash-SHA256 79a5ac15d0de66df3dd00a4148aa76dc183ebf47553fbcc5355f4902dc981267 2025-07-20
FileHash-SHA256 84b046a4dbfcd9d4b2d62b4bc8faaf4c6395696f1e688f464bc9e0b760885263 2025-07-20
FileHash-SHA256 8634988a90e69d8e657f72cf5f599176be5854448e0544abc42eb49b0c245f0c 2025-07-20
FileHash-SHA256 8bf0d693033a761843ae20c7e118c05f851230cb95058f836ffe2b51770f788a 2025-07-20
FileHash-SHA256 9170503615e4d2cf1d67f0935ded3ce36a984247ae7f9ab406d81ebe1daf3604 2025-07-20
FileHash-SHA256 974c221c75c35d03dd2158d1d1a0a72a7ae85a6f7c1c729977f3676f946758ee 2025-07-20
FileHash-SHA256 a83f218d9dbb05c1808a71c75f3535551b67d41da6bb027ac0972597a1fc49fe 2025-07-20
FileHash-SHA256 a8abffa5d7259a94951d96ad3d60e8910927b5d0697f8edece2e295154e00832 2025-07-20
FileHash-SHA256 b9bb43b725a454e826ab64fdd6256af809c60119dab2876d081b3721d226c672 2025-07-20
FileHash-SHA256 bb3f433799c30a8aad5257abc2df479ecad058f6099fd89fb8e7c278dfe3be45 2025-07-20
FileHash-SHA256 bd299b5e3d7645b10286410f98f6ec79d803ce2b977c61e49f2dc26285823c99 2025-07-20
FileHash-SHA256 c33723a6c0ece4f790396f5fd5133cf384143736e6acd06e1d7642c04757bbae 2025-07-20
FileHash-SHA256 c3e7089e47e5c9fc896214bc44d35608854cd5fa70ae5c19aadb0748c6b353d6 2025-07-20
FileHash-SHA256 c9319b60fdde49e0b7cc4cdad7525643456420c4532a6cc2ae38672842eb48ed 2025-07-20
FileHash-SHA256 d8343068669d8fbb52b0af87bd3d4f3579d76192d021b37b6fd236b0973e4a5d 2025-07-20
FileHash-SHA256 dc409e9fa8b8c031c347d9c36f5732ea03e246c29d73e3425e4e8aaa1da6ff7c 2025-07-20
FileHash-SHA256 dcfa26a38a5af8a072104854fba1b7c0aa9ec99875d35dbd623c12932df44969 2025-07-20
FileHash-SHA256 e4a6be2fb70603f1545641240680b44e21b5601e8016c0d144711423eef9778e 2025-07-20
FileHash-SHA256 e848a0f1900e2f0be9ed1ea8e947ae3bae14e78f3ff81c02d8e5a54353cdbac8 2025-07-20
FileHash-SHA256 e9b9cdb713bfea40e13acffbe90faa536df206675819035835ce9218365cd118 2025-07-20
FileHash-SHA256 e9cd7c4db074c8e7c6b488a724be1cd05c8536dae28674ce3aa48ebb258e3c31 2025-07-20
FileHash-SHA256 f5adef8c202e62125be49f748ed3b30b34e0fb2c9539c805dd96a75a26c7ddc4 2025-07-20
FileHash-SHA256 f76b456cf2af1382325c704bf70b5168d28d30da0f3d0a5207901277e01db395 2025-07-20
FileHash-SHA256 fed1c094280d1361e8a9aafdb4c1b3e63e0f2e5bb549d5d737d0a33f2b63b4b8 2025-07-20
URL http://1.1.0.0 2025-07-20
URL http://142.11.199.35/pnp.exe 2025-07-20
URL http://masamadreartesanal.com/tag/ss.exe 2025-07-20
URL https://manzisuape.com/amw/ 2025-07-20
URL https://manzisuape.com/ao/190.exe 2025-07-20
URL https://masamadreartesanal.com/tag/ss.exe 2025-07-20
YARA 1e96a1c36ded88ea3f6aa6b6c260786f73455c10 Locates unique strings to the Greedy Sponge .NET downloaders. 2025-07-20
YARA 7ea3fc2ad4b9c7108cb3b1efc9d94b87dc032c12 Find custom function names and prefixes in Greedy Sponge allakore variant. 2025-07-20
domain arimateas.com 2025-07-20
domain barrosuon.com 2025-07-20
domain capitolioeventos.com 2025-07-20
domain chuacheneguer.com 2025-07-20
domain cleanmades.com 2025-07-20
domain cupertujo.com 2025-07-20
domain elitesubmissions.com 2025-07-20
domain flapawer.com 2025-07-20
domain glossovers.com 2025-07-20
domain idaculipa.com 2025-07-20
domain inmobiliariaarte.com 2025-07-20
domain kalichepa.com 2025-07-20
domain logisticasmata.com 2025-07-20
domain manzisuape.com 2025-07-20
domain masamadreartesanal.com 2025-07-20
domain mepunico.com 2025-07-20
domain metritono.com 2025-07-20
domain mx-terrasabvia.com 2025-07-20
domain pachisuave.com 2025-07-20
domain pasaaportes-citas-srre-gob.com 2025-07-20
domain siperasul.com 2025-07-20
domain tlelmeuas.com 2025-07-20
domain trenipono.com 2025-07-20
References (1)
↗ https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/