Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Dark Caracal

🌐Dark Caracal

🌐 Dark Caracal is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 12 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0070) ↗
14Use cases
0Articles
12Techniques
0IOCs

About this actor (MITRE)

[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)

Known aliases

Dark Caracal

Top techniques

T1005 · Data from Local SystemT1027.002 · Software PackingT1027.013 · Encrypted/Encoded File

All other tracked techniques

T1059.003 · Windows Command ShellT1071.001 · Web ProtocolsT1083 · File and Directory DiscoveryT1113 · Screen CaptureT1189 · Drive-by CompromiseT1204.002 · Malicious FileT1218.001 · Compiled HTML FileT1547.001 · Registry Run Keys / Startup FolderT1566.003 · Spearphishing via Service

Detection use cases (14)

Dark Caracal Bandook RAT loader chain — Office/Outlook → mshta/PowerShell → Run-key persistence AI · profile S Dark Caracal CHM (hh.exe) execution from user-writable path or remote URL — T1218.001 AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Beaconing — periodic outbound to small set of destinations MITRE match Crypto-wallet file/keystore access by non-wallet process MITRE match