S0399: Pallas
Pallas is mobile surveillanceware that was custom-developed by Dark Caracal.[1]
Analyst context for executives and security teams
Pallas matters because it represents Android mobile surveillanceware with relationships to data collection, discovery, sensor capture, location tracking, file deletion, and exfiltration over a command-and-control channel. For leaders, the practical issue is not just “mobile malware,” but whether corporate mobile devices, BYOD access, and executive or high-risk user phones generate enough evidence to investigate theft of contacts, SMS, call logs, audio, video, location, and stored application data.
Executive priority
Prioritize this behavior where Android devices are used for sensitive communications, privileged access, executive travel, regulated data handling, or operational coordination. The ATT&CK object has no official detection guidance, so leadership should ask whether mobile security, identity access decisions, incident response playbooks, and compliance evidence include mobile telemetry rather than relying only on endpoint and cloud logs.
Technical view
Pallas is listed as Android mobile surveillanceware custom-developed by Dark Caracal. ATT&CK relationships associate it with obfuscation, stored application data access, GUI input capture, software and system discovery, network connection discovery, audio/video capture, location tracking, file deletion, call log/contact/SMS collection, and exfiltration over a C2 channel. SOC and IR teams should validate visibility into Android application permissions, installed applications, device/network metadata, suspicious access to content providers, microphone/camera/location use, file deletion events where available, and outbound communications from managed mobile devices.
Likely telemetry
- Mobile device management or enterprise mobility inventory for Android devices, installed apps, OS versions, and configuration state
- Mobile threat defense or mobile EDR alerts for suspicious application behavior, obfuscation indicators, risky permissions, and anomalous sensor use
- Android application permission data, including microphone, camera, contacts, SMS, call log, location, and background location access where available
- Device network telemetry for outbound communications, unusual destinations, and C2-like patterns from mobile devices
- Logs or forensic artifacts showing access to stored application data, contacts, SMS, call logs, location, audio, video, or file deletion activity
Detection direction
- Because ATT&CK provides no official detection text for Pallas, start with behavior-based validation mapped to the related techniques rather than a single malware signature.
- Tune detections around unexpected combinations of Android permissions and behaviors, such as contact/SMS/call log access combined with location, microphone, camera, discovery, and outbound network activity.
- Validate whether mobile telemetry can distinguish legitimate enterprise apps from surveillance-like behavior; false positives are likely for apps that legitimately use location, audio, camera, contacts, or messaging permissions.
- Check blind spots for BYOD, unmanaged Android devices, devices outside MDM enrollment, limited mobile network visibility, and lack of retention for mobile security alerts.
- Use the Dark Caracal relationship as threat-intelligence context, but do not treat attribution as required for detection or incident scoping.
Mitigation priorities
- Inventory Android devices that access business systems and identify which are managed, unmanaged, or BYOD.
- Enforce least-privilege mobile permissions and review applications requesting sensitive access to contacts, SMS, call logs, microphone, camera, and location.
- Use mobile device management and mobile security controls to restrict risky app installation sources, monitor device posture, and support remote investigation or containment.
- Tie mobile device compliance to identity access decisions for sensitive applications where feasible.
- Prepare IR procedures for mobile evidence preservation, user notification, credential review, and cloud/session revocation when surveillanceware behavior is suspected.
Analyst notes and limits
The most decision-relevant aspect of this object is the breadth of related mobile surveillance behaviors. It should be used to test whether the organization’s detection and response program has meaningful mobile coverage, especially for Android devices used by high-risk personnel.
The supplied ATT&CK object does not include official detection guidance, tactics, aliases, labels, or detailed Pallas implementation indicators. Any assessment of exposure, active exploitation, or detection coverage requires local device inventory, mobile telemetry, and incident evidence.
Pallas
Pallas is mobile surveillanceware that was custom-developed by Dark Caracal.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1409 | Stored Application Data | Pallas retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.CitationLookout Dark Caracal Jan 2018 |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | Pallas uses phishing popups to harvest user credentials.CitationLookout Dark Caracal Jan 2018 |
| Mobile | T1418 | Software Discovery | Pallas retrieves a list of all applications installed on the device.CitationLookout Dark Caracal Jan 2018 |
| Mobile | T1406 | Obfuscated Files or Information | Pallas stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.CitationLookout Dark Caracal Jan 2018 |
| Mobile | T1636.002 | Call Log Sub-technique | Pallas accesses and exfiltrates the call log.CitationLookout Dark Caracal Jan 2018 |
| Mobile | T1421 | System Network Connections Discovery | Pallas gathers and exfiltrates data about nearby Wi-Fi access points.CitationLookout Dark Caracal Jan 2018 |
| Mobile | T1630.002 | File Deletion Sub-technique | Pallas has the ability to delete attacker-specified files from compromised devices.CitationLookout Dark Caracal Jan 2018 |
| Mobile | T1636.003 | Contact List Sub-technique | Pallas accesses the device contact list.CitationLookout Dark Caracal Jan 2018 |
| Mobile | T1426 | System Information Discovery | Pallas queries the device for metadata, such as device ID, OS version, and the number of cameras.CitationLookout Dark Caracal Jan 2018 |
| Mobile | T1430 | Location Tracking | Pallas tracks the latitude and longitude coordinates of the infected device.CitationLookout Dark Caracal Jan 2018 |
| Mobile | T1429 | Audio Capture | Pallas captures audio from the device microphone.CitationLookout Dark Caracal Jan 2018 |
| Mobile | T1512 | Video Capture | Pallas can take pictures with both the front and rear-facing cameras.CitationLookout Dark Caracal Jan 2018 |
| Mobile | T1636.004 | SMS Messages Sub-technique | Pallas captures and exfiltrates all SMS messages, including future messages as they are received.CitationLookout Dark Caracal Jan 2018 |
| Mobile | T1646 | Exfiltration Over C2 Channel | Pallas exfiltrates data using HTTP.CitationLookout Dark Caracal Jan 2018 |
Groups, software, and campaigns
G0070: Dark Caracal
Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 1d8f39569651… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lookout Dark Caracal Jan 2018
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
Open source URL -
[2]
Pallas
(Citation: Lookout Dark Caracal Jan 2018)
-
[3]
mitre-attack S0399Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.