← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC.
WHITE PetrP.73 2025-07-20 Modified: 2025-08-19
102
IOCs
HIGH VOLUME
Arctic Wolf Labs has identified a financially motivated threat group dubbed Greedy Sponge, which has been active since early 2021, primarily targeting Mexican organizations. This group employs modified versions of the AllaKore RAT and SystemBC malware, focusing on financial fraud. The AllaKore RAT has been significantly altered to capture banking credentials and unique authentication data, enabling the attackers to exfiltrate sensitive information to their command-and-control (C2) server. The recent campaigns include deploying custom installers that contain the modified RAT and utilizing SystemBC as a secondary tool for further exploitation. Greedy Sponge's operational tactics have evolved, particularly since mid-2024, with enhancements in geofencing methods that restrict their activities to the Mexican region. Previously, geofencing checks were performed at the initial stage using a .NET downloader, but these checks have now been moved server-side to complicate detection efforts.
greedy spongeallakore ratarctic wolfmexicoallakore c2systembcallakoredefense evasionlabschromewolfspongebobinstalldelphicylancefebruaryinstallerpowershellexecution
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (15 / 102 total)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 058bde7b3385b70d59120b24390377af MD5 of 4bf4bcf1cc45d9e50efbd184aad827e2c81f900a53961cf4fbea90fa31ca7549 2025-07-20
FileHash-MD5 09096930751d28d388d3e0de003bcb7b MD5 of e4a6be2fb70603f1545641240680b44e21b5601e8016c0d144711423eef9778e 2025-07-20
FileHash-MD5 35932f5856dbf8ba51e048b3b2bb2d7b 2025-07-20
FileHash-MD5 42300099a726353abfddbfdd5773de83 2025-07-20
FileHash-MD5 47ead282cd7c6a667d9b4cc9b0c6935e MD5 of 65fc84ffd9be05720b700292b7dbc0ac8afa7faaadf6fcd4485ce34785ba0932 2025-07-20
FileHash-MD5 59c6ae6bbe3d048d267d4900c9585828 MD5 of a8abffa5d7259a94951d96ad3d60e8910927b5d0697f8edece2e295154e00832 2025-07-20
FileHash-MD5 63a5bc24837a392bc56de93b28c7d011 MD5 of c9319b60fdde49e0b7cc4cdad7525643456420c4532a6cc2ae38672842eb48ed 2025-07-20
FileHash-MD5 750a33531763724e8db051750a08cf99 MD5 of 8634988a90e69d8e657f72cf5f599176be5854448e0544abc42eb49b0c245f0c 2025-07-20
FileHash-MD5 aa8b32b21dcf44a332f9c9d13af3cd7d MD5 of 3b0772608844821555bb90e0218972f89f421dad9b1f7bd1918de26a929e998f 2025-07-20
FileHash-MD5 ac2fa680544b1b1e452753b78b460a59 2025-07-20
FileHash-MD5 ac69851a5144e0eb28923ca2e3b8cbe2 MD5 of d8343068669d8fbb52b0af87bd3d4f3579d76192d021b37b6fd236b0973e4a5d 2025-07-20
FileHash-MD5 b90a102fccedad57b06dc8fb6a58895b MD5 of 32ef3a0da762bc88afb876537809350a885bbbc3ec59b1838e9e9ccc0a04b081 2025-07-20
FileHash-MD5 bd3782580c0ddbda2288b2d5d5a72258 MD5 of f5adef8c202e62125be49f748ed3b30b34e0fb2c9539c805dd96a75a26c7ddc4 2025-07-20
FileHash-MD5 df9b2ff8bd9164ae0f2c802c555d2c4f MD5 of f76b456cf2af1382325c704bf70b5168d28d30da0f3d0a5207901277e01db395 2025-07-20
FileHash-MD5 e78fa70b0e38c7c8c29048cebba2dd74 MD5 of bd299b5e3d7645b10286410f98f6ec79d803ce2b977c61e49f2dc26285823c99 2025-07-20
References (1)
↗ https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/