- Mexican organizations continue to face threats from a Hacking group named Greedy Sponge, which uses modified Malware in targeted attacks.
- The group deploys a customized AllaKore RAT and SystemBC to steal banking credentials and support financial fraud.
- Attacks are carried out using phishing emails and compromised websites, leading to malicious ZIP files that infect targets.
- Recent campaigns use advanced measures like regional access restrictions and proxy malware to hide activities and block analysis.
- Other malware threats, such as PureRAT and Neptune RAT, also use creative techniques like encrypted payloads and process injection to bypass security measures.
Mexican businesses and government sectors have been targeted since 2021 by a financially driven hacking group known as Greedy Sponge. The group carries out cyberattacks using modified versions of AllaKore RAT and SystemBC malware, aiming to steal banking credentials and conduct fraud.
According to Arctic Wolf Labs, these attacks focus on a broad range of sectors, including retail, manufacturing, public services, and banking. The AllaKore RAT has been heavily changed to send specific banking data and authentication information to servers controlled by the attackers. “The AllaKore RAT payload has been heavily modified to enable the threat actors to send select banking credentials and unique authentication information back to their command-and-control (C2) server, for the purpose of conducting financial fraud,” Arctic Wolf stated in a recent analysis.
Initial infection commonly starts through targeted phishing emails or drive-by website attacks that distribute infected ZIP archives. Inside are legitimate-looking files alongside a disguised installer, which drops the AllaKore RAT. The malware allows remote control and capability to log keystrokes, take screenshots, and download or upload files. Attackers also use SystemBC, which can turn infected machines into proxies, hiding command and control (C2) traffic by routing it through SOCKS5 proxies. Updated tactics now restrict the final malware delivery to users located in Mexico using server-side checks, making it harder for outside analysts to study the campaign.
< b >Greedy Sponge< /b > has been using similar tools and infrastructure for over four years, with focused attacks in Mexico. Other regions, such as Brazil, have also experienced campaigns using AllaKore variants. Arctic Wolf described the group as persistent and successful, but not highly advanced.
Recent months have shown other related cybercrime techniques. In one campaign, a phishing attack used a new crypter, Ghost Crypt, to encrypt and deliver PureRAT malware. Attackers used urgent phone calls and PDF files with links to malicious content to trick victims. Ghost Crypt, first advertised in April 2025, helps attackers avoid detection by Microsoft Defender and delivers various types of malware, such as Lumma and StealC.
Other ongoing threats include Neptune RAT, spread by JavaScript-based lures, and attacks using malicious Inno Setup installers, which run scripts to install information-stealing malware like RedLine. These approaches use automated scripts and layered payloads to bypass traditional security controls.
For more technical analysis and information on tactics, readers can refer to the detailed articles by Arctic Wolf Labs, Arctic Wolf, eSentire, and Splunk Threat Research Team.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- StablecoinX Raises $360M to Buy ENA Tokens, Eyes Nasdaq Listing
- Citadel Urges SEC Caution on Tokenized Equities, Opposes Exemptions
- Africa’s Crypto Adoption Surges as Decentralized AI Gains Ground
- Bitcoin Eyes $136K After Pennant, but $115K Pullback Possible First
- Alaska Airlines IT Failure Grounds Fleet, ALK Stock Drops Again
