Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC

Summary

A financially-motivated threat actor, active since early 2021, has been targeting Mexican organizations with custom packaged installers that deliver a modified version of AllaKore RAT. Arctic Wolf® documented 2022 and 2023 campaign samples from this unidentified threat actor in a previous report. We are now referring to this group as Greedy Sponge, due to its financial focus and prior use of a popular “SpongeBob” meme on its C2.

There have been a number of notable changes since we last reported on this threat group. The AllaKore RAT payload has been heavily modified to enable the threat actors to send select banking credentials and unique authentication information back to their command-and-control (C2) server, for the purpose of conducting financial fraud.

AllaKore has also recently been seen delivering a secondary infection of SystemBC, a multi-platform malware proxy tool written in C that can be used to download and execute additional malware.

Since the middle of 2024, the installation and post-exploitation processes the group uses were updated to include better geofencing and more potent secondary infections. Historically, geofencing to the Mexican region took place in the first stage, via a .NET downloader included in the trojanized Microsoft software installer (MSI) file. This has now been moved server-side to restrict access to the final payload, thus hampering detection efforts by defenders.

Figure 1: Previous and current execution chains.

Weaponization and Technical Overview

Victimology

The Greedy Sponge threat group specializes in targeting Mexican organizations. All phishing sites uncovered during the course of this investigation emulate Mexican business sites, and delivery filenames are in Spanish.

Domain registration also points to Mexico as the organization’s location, or base of operations. Previous campaigns specifically check Mexico as the IP point of origin through the .NET loader, while new campaigns perform the same check server-side on the delivery infrastructure.

Targeting continues to be indifferent to industry, as long as there’s money to be stolen from the targeted companies. Organizations identified in this and prior campaigns are spread across a wide range of sectors, including Retail, Agriculture, Public Sector, Entertainment, Manufacturing, Transportation, Commercial Services, Capital Goods, and Banking.

Technical Analysis

Attack Vector

In this new campaign, zip files are delivered to the target containing a legitimate Chrome proxy executable and a compressed MSI file that has been trojanized to download Greedy Sponge’s custom AllaKore remote access trojan (RAT). A secondary infection of SystemBC is optionally delivered by the actor.

In addition, lures sent to victims previously linking to Mexico’s Institute of Social Security – the Instituto Mexicano del Seguro Social (IMSS) – have been dropped in favor of a more generic policy update naming schema, InstalarActualiza_Policy.msi, meaning “Install update policy” in the Spanish language.

Although Mexican banks have been specifically targeted by this threat actor in the past, any company based in Mexico runs the risk of being hit by this trojan, as their tactics evolve over time.

Delivery

This file has the following structure:

• Actualiza_Policy_v01.zip
  • __
  • Instalacion_ActualizaPolicy.zip
  • InstalarActualiza_Policy.msi

“__” is a legitimate version of chrome_proxy.exe, a binary proxy to Chrome, distributed by Google.

InstalarActualiza_Policy.msi is built with Advanced Installer 20.6 build 7c7b154c. This file deploys a .NET downloader and a PowerShell script for cleanup. The .NET file is named Gadget.exe and is included in the AI_ChainedPackageFile. The internal name of the file is Tweaker.exe and it is responsible for downloading and deploying the custom AllaKore RAT.

* 2084-06-18 is not a typo; it denotes a future compilation time.

Figure 2: .NET downloader base64 encoded requests.

Gadget.exe downloads the zip file metsys.zip from hxxps://manzisuape[.]com/amw/. It is then decompressed into kgm.exe, which is the AllaKore RAT payload.

File_deleter.ps1 remains from previous campaigns to clean up the %APPDATA% directory used for downloading and deploying the RAT.

What is AllaKore RAT?

AllaKore RAT is a simple, open-source remote access tool written in Delphi. First observed in 2015, Arctic Wolf Labs researchers* observed an attack in early 2024 targeting companies in Mexico that had more than $100M in annual revenue, including banks and cryptocurrency trading platforms. An AllaKore variant known as AllaSenha was subsequently used in May 2024 to target banking entities across Brazil.

AllaKore is a potent spying and exfiltration tool. It has the capability to keylog, screenshot, upload/download files, and even take remote control of victim’s device.

*Arctic Wolf acquired Cylance® from BlackBerry® in February 2025. The BlackBerry Threat Research and Intelligence team is now part of Arctic Wolf Labs.

Samples with the same internal name “Chrome Update Set” go back to May 2024 and utilize the same delivery and C2 infrastructure, though updates to the secondary infection endpoints from license.txt to z2.txt and z3.txt have occurred.

After running, AllaKore maintains persistence in the system with an updated version downloaded at the URI /z1.txt and placed in the device’s Startup folder.

Figure 3: Disassembly of AllaKore’s update and persistence mechanism.

Secondary infections are downloaded to %\Appdata\Roaming\file.exe and immediately executed.

Figure 4: Disassembly of AllaKore’s secondary infection download.

At the time of writing, the trenipono[.]com endpoints are as follows:

• z1.txt
  • version_190_hxxps://manzisuape[.]com/ao/190[.]exe

• z2.txt
  • hxxp://142.11.199[.]35/pnp.exe

• z3.txt
  • hxxp://142.11.199[.]35/pnp.exe

Since our previous report, internal custom functions have been expanded, most likely to ease the structured copying of information back to the threat actor’s servers. Most are related to updated authentication on target banking sites and stealing authentication artifacts such as credentials and tokens.

Pnp.exe is a user account control (UAC) bypass utilizing CMSTP compiled off this repo, or a fork. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles, but it can be abused by adversaries, who use it to proxy execution of malicious code.

The code is identical to the repository but sets the service to “Actualizando” (Spanish for “updating”). It delivers the same loader that is packaged in the MSI, but instead it is pointed to a malicious SystemBC v2 binary hosted at hxxps://masamadreartesanal[.]com/tag/ss[.]exe.

Figure 5: CMSTP Bypass structure and secondary infection execution chain.

This latest addition is a measured increase in capability. Development by this threat actor since 2021 has shown slow but steady progress, as the group works to improve the delivery and post exploitation process from a simple zipped open-source RAT, to a highly modified payload and the utilization of red teaming tools.

Network Infrastructure

Greedy Sponge’s network infrastructure has maintained hosting through Hostwinds in Dallas, Texas, while current domains are limited to those registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, with non-U.S. registrar countries.

The .NET downloader uses a unique user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;). This user-agent is typically used in .NET downloader samples that download AllaKore RAT and SystemBC.

IP Addresses

The following are IP addresses associated with this campaign:

• 254.133[.]54 – All phishing sites are located on the same Hostwinds-hosted server.
• 11.199[.]35 – Currently trenipono[.]com, this has been part of the group’s C2 infrastructure since July 2024. This IP has overlap with previously used campaign domains, including chuacheneguer[.]com and flapawer[.]com.

The major change to operations here is the secondary infection of SystemBC. All samples identified have used pachisuave[.]com over port 4404. While the .NET loader for this file is delivered from 142.11.199[.]35, masamadreartesanal[.]com/tag/ss[.]exe is the endpoint that actually hosts the final payload.

Attribution

Greedy Sponge has been active since at least late 2021. Having spent those four years-plus actively targeting Mexican entities, we would deem this threat actor persistent, but not particularly advanced. The strictly financial motivation of this actor coupled with their limited geographic targeting is highly distinctive.

Additionally, their operational longevity points to probable operational success – meaning they’ve found something that works for them, and they are sticking with it. Greedy Sponge has held the same infrastructure models for the duration of their campaigns. Their infrastructure is hosted in Texas, which is geographically close to Mexico but also out of the country, limiting the reaches of law enforcement jurisdiction.

Greedy Sponge’s location-based characteristics can be summed up as thus:

• Netflow data identified RDP access to the C2 from Mexico
• Geographically limited targeting to Mexico
• Development in the Spanish language
• In-depth knowledge of Mexican economics and government regulatory bodies

The custom functionality built into the RAT is unique with regards to how data is sent back to their C2. The data is specially structured into strings for ingestion server-side. The data sent from the RAT’s client is structured for server-side ingestion as unique tokens and credentials. The overly simplification of this credential copying process strongly suggests a tiered operation, with hands-on operators stealing data from victims and sending it back to the C2 to be used in fraudulent banking operations.

Proactive Recommendations

As a financially motivated threat actor, Greedy Sponge has exclusively targeted organizations within Mexico since they began their operation in 2021. If your organization is located in Mexico or conducts business operations in the country—regardless of industry—it is entirely plausible Greedy Sponge could target your organization in future campaigns.

Although we do not have visibility into recent delivery techniques used by Greedy Sponge, the threat actor has historically used phishing emails and drive-by downloads to deliver their custom AllaKore RAT. In both cases, user interaction is needed to successfully compromise an organization.

User education, either through comprehensive security awareness training or simulated phishing exercises, can help employees identify social engineering techniques threat actors use to trick users. Consider using the recent Greedy Sponge campaign as a case study to demonstrate what a threat actor can do once they have successfully socially engineered a user.

Additionally, ensure users only download software updates from approved business sources and not unknown, third-party sources. In at least one case, Greedy Sponge bundled AllaKore RAT with a legitimate binary proxy to Chrome, almost certainly to trick the victim into thinking the malicious file was a Chrome update.

Initial access is just one part of the kill chain. Once Greedy Sponge obtains access, they use a PowerShell script to hide their tracks. Arctic Wolf Labs is continuously investigating intrusions where PowerShell is used extensively throughout all phases of the kill chain. Enabling PowerShell Module Logging, Script Block Logging, and Transcription Logging can greatly increase your organization’s ability to detect and prevent malicious activity before actions on objectives. Taking these proactive measures can help prevent keylogging and data exfiltration by this threat actor.

Conclusion

The financially-motivated threat actor Greedy Sponge has been targeting Mexican entities since 2021. They have shown consistent development of the tactics, techniques, and procedures (TTPs) used in their operating realm. The large amount of activity found in open-source data sets and seen in Arctic Wolf’s internal telemetry demonstrates a highly functional and persistent group.

Barring disruption by law enforcement, it’s likely that Greedy Sponge will continue to evolve and remain a threat to Mexican entities in the coming years.

How Arctic Wolf Protects its Customers

Arctic Wolf is committed to ending cyber risk with its customers, and when active campaigns are identified we move quickly to protect our customers.

Arctic Wolf Labs has leveraged threat intelligence around Greedy Sponge’s activity to implement new detections in the Arctic Wolf® Aurora™ Platform to protect customers. As we discover new information, we will enhance our detections to account for additional IOCs and techniques leveraged by this threat actor.

Appendix

Indicators of Compromise (IOCs)

File IOCs

Network IOCs

Detections

Yara Rules

rule fin_greedy_sponge_downloader_b64_useragent_string {
    meta:
        author = "The Arctic Wolf Labs team"
        description = "Locates unique strings to the Greedy Sponge .NET downloaders."
        date = "2025-04-09"
    strings:
        //b64 unicode of Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;)
        $s1 = {54 00 57 00 39 00 36 00 61 00 57 00 78 00 73 00 59 00 53 00 38 00
            30 00 4c 00 6a 00 41 00 67 00 4b 00 47 00 4e 00 76 00 62 00 58 00 42 00
            68 00 64 00 47 00 6c 00 69 00 62 00 47 00 55 00 37 00 49 00 45 00 31 00
            54 00 53 00 55 00 55 00 67 00 4e 00 69 00 34 00 77 00 4f 00 79 00 42 00
            58 00 61 00 57 00 35 00 6b 00 62 00 33 00 64 00 7a 00 49 00 45 00 35 00
            55 00 49 00 44 00 55 00 75 00 4d 00 6a 00 73 00 67 00 4c 00 6b 00 35 00
            46 00 56 00 43 00 42 00 44 00 54 00 46 00 49 00 67 00 4d 00 53 00 34 00
            77 00 4c 00 6a 00 4d 00 33 00 4d 00 44 00 55 00 37 00 4b 00 51 00 3d 00 3d 00}
    condition:
        uint16(0) == 0x5A4D and all of them
}

rule fin_greedy_sponge_custom_allakore_rat {
    meta:
        author = " The Arctic Wolf Labs team"
        description = "Find custom function names and prefixes in Greedy Sponge allakore variant."
        date = "2025-04-09"
    strings:
        $cnc1 = "{ESCAPAR}" wide
        $cnc2 = "{MENSAJE" wide
        $cnc3 = "{DESTRABA" wide
        $cnc4 = "{TOKEN" wide
        $cnc5 = "{TRABAR" wide
        $cnc6 = "{CLIPBOARD}" wide
    condition:
        uint16(0) == 0x5A4D and
        3 of ($cnc*) and
        filesize > 5MB and filesize < 12MB
}

Detailed MITRE ATT&CK® Mapping

About Arctic Wolf Labs

Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.

Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.