In recent years, the cybersecurity landscape has witnessed a significant uptick in credential theft and remote access attacks, with threat actors deploying sophisticated malware such as AllaKore RAT, PureRAT, and Hijack Loader. These tools have been instrumental in compromising systems across various sectors, leading to substantial financial and data losses.
AllaKore RAT and SystemBC: The Greedy Sponge Campaign
Since early 2021, a financially motivated hacking group known as Greedy Sponge has been targeting Mexican organizations across diverse industries, including retail, agriculture, public sector, entertainment, manufacturing, transportation, commercial services, capital goods, and banking. Their primary tools are a modified version of AllaKore RAT and SystemBC.
AllaKore RAT, a remote access trojan, has been heavily altered to extract banking credentials and unique authentication information, which are then transmitted to the attackers’ command-and-control (C2) servers to facilitate financial fraud. The attack vectors typically involve phishing emails or drive-by downloads that deliver malicious ZIP archives. These archives contain a legitimate Chrome proxy executable and a trojanized Microsoft Software Installer (MSI) file designed to deploy AllaKore RAT.
Once executed, the MSI file initiates a .NET downloader that retrieves and launches AllaKore RAT from an external server. Additionally, it may deploy SystemBC, a C-based malware that transforms compromised Windows hosts into SOCKS5 proxies, enabling attackers to communicate with their C2 servers covertly.
To evade detection and analysis, Greedy Sponge has implemented geofencing measures. Initially, geofencing was applied during the first stage via a .NET downloader within the trojanized MSI file. However, as of mid-2024, this tactic has shifted to server-side restrictions, limiting access to the final payload based on geographic location.
PureRAT and Ghost Crypt: A New Wave of Phishing Attacks
In May 2025, cybersecurity firm eSentire uncovered a phishing campaign leveraging a new crypter-as-a-service known as Ghost Crypt to deliver and execute PureRAT. This campaign underscores the evolving tactics of cybercriminals in deploying remote access trojans through sophisticated means.
The attack begins with a phishing email containing a malicious attachment or link. Once the recipient interacts with the attachment or link, Ghost Crypt decrypts and executes PureRAT on the victim’s system. PureRAT provides attackers with extensive control over the compromised system, including the ability to execute commands, exfiltrate data, and deploy additional malware.
Hijack Loader: A Versatile Malware Delivery Mechanism
Another notable development is the emergence of Hijack Loader, a malware loader designed to deliver various payloads, including remote access trojans and credential stealers. Hijack Loader employs sophisticated techniques to evade detection, such as process injection and the use of legitimate system processes to execute malicious code.
Once deployed, Hijack Loader can download and execute additional malware modules, providing attackers with a versatile tool for compromising systems and exfiltrating sensitive information.
The Broader Implications of Credential Theft and Remote Access Attacks
The proliferation of malware like AllaKore RAT, PureRAT, and Hijack Loader highlights a broader trend in cyber threats: the increasing focus on credential theft and remote access. By obtaining valid credentials, attackers can bypass traditional security measures, move laterally within networks, and maintain persistent access to compromised systems.
For instance, the IcedID malware has been observed compromising Active Directory domains in under 24 hours by leveraging credential theft and lateral movement techniques. Similarly, the RansomHub cyberattack utilized Remote Desktop Protocol (RDP) exploits and credential theft to dominate a network for 118 hours, leading to significant data exfiltration and ransomware deployment.
Moreover, infostealer malware has become increasingly prevalent, with reports indicating that such malware was used to steal 2.1 billion credentials in 2024, accounting for over 60% of the 3.2 billion credentials stolen from all organizations that year. The low cost and high profitability of infostealers have contributed to their widespread use among cybercriminals.
Mitigating the Threat: Best Practices for Organizations
To defend against the rising tide of credential theft and remote access attacks, organizations should implement a multi-layered security strategy that includes:
1. Employee Training and Awareness: Educate staff about the dangers of phishing attacks and the importance of verifying the authenticity of emails and attachments.
2. Strong Authentication Mechanisms: Implement multi-factor authentication (MFA) to add an extra layer of security beyond passwords.
3. Regular Software Updates: Ensure that all systems and software are up-to-date with the latest security patches to mitigate vulnerabilities.
4. Network Segmentation: Divide the network into segments to limit lateral movement in case of a breach.
5. Monitoring and Incident Response: Establish continuous monitoring of network activity and have a robust incident response plan in place to quickly address potential breaches.
By adopting these practices, organizations can enhance their resilience against credential theft and remote access attacks, safeguarding their systems and sensitive information from malicious actors.
