Greedy Sponge Hackers Launch Attacks on Banks with Enhanced AllaKore RAT

A financially motivated threat actor now identified as “Greedy Sponge” has intensified its focus on Mexican organizations, deploying a heavily modified version of the AllaKore Remote Access Trojan (RAT) in a campaign targeting a broad range of sectors, including banking, capital goods, and public sector entities.

Active since 2021 and recently profiled in detailed research by Arctic Wolf Labs, Greedy Sponge has evolved its techniques, adapting payload delivery, evasion strategies, and secondary infections to maximize financial fraud while complicating defender detection methods.

Enhanced AllaKore RAT

Initially relying on spear-phishing and drive-by attacks, Greedy Sponge now delivers weaponized zip files that masquerade as legitimate policy updates, often containing Spanish-language filenames and imitating trusted Mexican business and government resources.

These packages embed a legitimate Chrome proxy executable alongside a trojanized MSI installer.

This MSI installer is built with Advanced Installer and deploys a .NET downloader dubbed “Gadget.exe” (internally called “Tweaker.exe”) responsible for fetching the customized AllaKore RAT payload from attacker infrastructure.

Since mid-2024, the threat actor has migrated geofencing logic from the initial loader to its command and control (C2) servers, restricting payload delivery exclusively to Mexican IP addresses.

This server-side control significantly hampers efforts by non-local defenders and researchers to analyze live attack chains.

Arctic Wolf’s analysis further identified that recent infections optionally deliver a secondary payload, the notorious SystemBC malware proxy, enhancing the attackers’ capability to exfiltrate sensitive data and install additional tools.

Sophisticated Credential Theft

The modified AllaKore RAT, still based on open-source Delphi code, has been upgraded with proprietary modules enabling credential and authentication data extraction tailored for Mexican and, more recently, Brazilian financial institutions.

New variants keep persistent access by deploying updates through the victim’s startup directory and maintain communication with C2 endpoints to fetch further malware or receive configuration changes.

SystemBC serves as a malware proxy and is leveraged using a user account control (UAC) bypass technique, directly linking to attacker-controlled endpoints.

Arctic Wolf attributes the group’s regional targeting and Spanish-language development to an operator base within Mexico, reinforced by campaign infrastructure access patterns and unique knowledge of Mexican economic and regulatory landscapes.

All phishing infrastructure mimics Mexican businesses and utilizes domains registered through non-U.S. entities, yet is physically hosted in close geographical proximity in Texas, potentially limiting law enforcement reach.

Greedy Sponge’s operational longevity and iterative technical improvements indicate not only persistence but ongoing success in monetizing attacks, as evidenced by continued targeting of victim organizations with annual revenues above $100 million.

While industry targeting is opportunistic, the sophistication of the group’s credential harvesting and C2 data structuring highlights a tiered operation, likely feeding manually stolen banking data into coordinated fraud schemes.

Organizations operating in Mexico are reminded to heighten phishing awareness among users, enforce strict controls on software downloads, and broaden visibility across endpoint and PowerShell activity to detect and intercept malicious lateral movement post-infection.

Arctic Wolf has rolled out coverage for Greedy Sponge IOCs within its Aurora platform and encourages customers to remain vigilant against this steadily evolving threat.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.