G0070: Dark Caracal
Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1]
Analyst context for executives and security teams
Dark Caracal is an ATT&CK group entry for a long-running threat group, reported since at least 2012 and attributed in the cited source to the Lebanese General Directorate of General Security. Its ATT&CK relationships matter defensively because they span surveillance tooling and RAT activity across enterprise and mobile contexts, including FinFisher, Bandook, CrossRAT, and Pallas, plus behaviors such as phishing via services, drive-by compromise, malicious files, command shell execution, persistence through Run keys or Startup folders, discovery, local data collection, screen capture, obfuscation, and web-protocol command and control. For leaders, the practical question is not whether this specific group is targeting the organization, but whether controls and telemetry can withstand targete
Executive priority
Prioritize this as a readiness lens for espionage and surveillance-driven intrusion scenarios. The relationship set highlights business risks around sensitive data exposure, executive and employee device monitoring, legal/regulatory evidence preservation, and incident response decisions when activity may cross Windows, macOS, Linux, Android, and mobile-network visibility. Security leaders should ask whether SOC coverage includes third-party service phishing, browser/drive-by exposure, suspicious files such as CHM or packed/encoded payloads, endpoint persistence, local data access, screenshots, and unusual outbound web communications. Because the group object has no official detection text and no specified group-level platforms or tactics, investment decisions should be based on mapped techniques and local risk exposure rather than assumptions about current targeting.
Technical view
Validate coverage against the related software and techniques rather than the group name alone. Enterprise-focused checks should include detection for malicious file execution, CHM abuse, Windows command shell use, Registry Run Key or Startup Folder persistence, file and directory discovery, local data collection, screen capture behavior, packed or encoded executables, and HTTP/S-like command-and-control patterns. Mobile-focused checks should consider Android surveillanceware context from Pallas and FinFisher relationships, especially web-protocol communications from mobile devices where telemetry exists. IR teams should be prepared to correlate endpoint process, file, registry, network, browser, mobile-device, and identity/provider logs, since the mapped initial-access techniques include spearphishing via third-party services and drive-by compromise rather than only enterprise email delivery.
Likely telemetry
- Endpoint process creation and command-line logs, especially cmd.exe and script or helper process chains
- File creation, download, execution, archive/packing indicators, encoded or encrypted file artifacts, and CHM file handling
- Windows Registry Run Key and Startup Folder modification events
- EDR or OS telemetry for file and directory enumeration, local data access, and screenshot or screen-capture API/tool use
- Proxy, DNS, firewall, TLS, and web gateway logs for unusual HTTP/S or web-protocol command-and-control patterns
Detection direction
- Do not rely on group-name indicators alone; map detections to the related ATT&CK techniques and software behaviors.
- Tune phishing detection beyond enterprise email, because the related technique includes spearphishing through third-party services that may not appear in mail gateway logs.
- Review visibility for drive-by compromise paths, including browser events, web gateway logs, and endpoint follow-on execution after web activity.
- Correlate suspicious file execution with obfuscation indicators, such as packed binaries, encoded content, or CHM-based execution, to reduce dependence on static signatures.
- Baseline legitimate administrative command shell use and Registry Run Key changes to reduce false positives while preserving alerting on unusual user-context persistence.
Mitigation priorities
- Sequence controls around likely entry and execution paths first: user-awareness and reporting processes for targeted social engineering, restrictions on risky file types where appropriate, and browser/web controls for drive-by exposure.
- Harden endpoints against user-driven execution and persistence by controlling scriptable/legacy file handling, monitoring or restricting CHM execution where feasible, and auditing Run Key/Startup Folder changes.
- Maintain endpoint detection and response coverage capable of process, file, registry, and network correlation across relevant operating systems in the environment.
- Strengthen egress monitoring and proxy/DNS logging for web-protocol command-and-control detection, while recognizing that HTTP/S blending requires behavioral context.
- For mobile risk, validate MDM/mobile threat defense enrollment, Android application governance, and incident handling procedures for suspected surveillanceware on managed or executive devices.
Analyst notes and limits
The strongest decision value in this object comes from its relationships. Dark Caracal is linked to surveillance and RAT software including FinFisher, Bandook, CrossRAT, and Pallas, and to techniques covering initial access, execution, persistence, defense evasion, discovery, collection, and command and control. This supports a cross-domain readiness review for targeted surveillance activity, especially where executives, legal teams, government-adjacent operations, regulated data, or mobile devices are important to the business.
The supplied group object does not specify platforms, tactics, labels, or official detection guidance. Relationship descriptions are partly truncated in the supplied context, and the presence of a relationship does not prove current targeting or exposure in any local environment. Detection and mitigation recommendations therefore remain technique-oriented and require validation against local assets, telemetry, mobile management coverage, and business risk.
Dark Caracal
Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.CitationLookout Dark Caracal Jan 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Dark Caracal has used macros in Word documents that would download a second stage if executed.CitationLookout Dark Caracal Jan 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”.CitationLookout Dark Caracal Jan 2018 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.CitationLookout Dark Caracal Jan 2018 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Dark Caracal has used UPX to pack Bandook.CitationLookout Dark Caracal Jan 2018 |
| Enterprise | T1218.001 | Compiled HTML File Sub-technique | Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.CitationLookout Dark Caracal Jan 2018 |
| Enterprise | T1189 | Drive-by Compromise | Dark Caracal leveraged a watering hole to serve up malicious code.CitationLookout Dark Caracal Jan 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Dark Caracal's version of Bandook adds a registry key to |
| Enterprise | T1083 | File and Directory Discovery | Dark Caracal collected file listings of all default Windows directories.CitationLookout Dark Caracal Jan 2018 |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | Dark Caracal spearphished victims via Facebook and Whatsapp.CitationLookout Dark Caracal Jan 2018 |
| Enterprise | T1005 | Data from Local System | Dark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems.CitationLookout Dark Caracal Jan 2018 |
| Enterprise | T1113 | Screen Capture | Dark Caracal took screenshots using their Windows malware.CitationLookout Dark Caracal Jan 2018 |
Groups, software, and campaigns
S0182: FinFisher
FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [1] [2] [3] [4] [5]
S0235: CrossRAT
CrossRAT is a cross platform RAT.
S0234: Bandook
Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | 58ef4b46fa30… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lookout Dark Caracal Jan 2018
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
Open source URL -
[2]
Dark Caracal
(Citation: Lookout Dark Caracal Jan 2018)
-
[3]
mitre-attack G0070Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.