3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Dark Caracal

Dark Caracal

ID: 57b88ca56ed4a3b2717e5c3132a5459861354
Cybercrime State-Sponsored
Threat types: Spyware/Stealer, Surveillance, Intrusion
Lebanon UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 35% Completeness: 28% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. Ref: https://attack.mitre.org/groups/G0070/


Technique Technique name Tactics Evidence
T1027.002 Software Packing TA0005
  • Obfuscated Files or Information: Software Packing - Dark Caracal has used UPX to pack Bandook. · ref
T1027.013 Encrypted/Encoded File TA0005
  • Obfuscated Files or Information: Encrypted/Encoded File - Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - Dark Caracal has used macros in Word documents that would download a second stage if executed. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string "&&&". · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it. · ref
T1218.001 Compiled HTML File TA0005
  • System Binary Proxy Execution: Compiled HTML File - Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable. · ref
T1437.001 Web Protocols TA0037
  • Application Layer Protocol: Web Protocols - Dark Caracal controls implants using standard HTTP communication. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Dark Caracal's version of Bandook adds a registry key to HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run for persistence. · ref
T1566.003 Spearphishing via Service TA0001
  • Phishing: Spearphishing via Service - Dark Caracal spearphished victims via Facebook and Whatsapp. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.