| Executives January 18, 2018

January 18, 2018

Mobile Advanced Persistent Threat actor conducting global espionage campaign from Lebanon

By Mike Murray

Dark Caracal Report

Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor running a global espionage campaign against military personnel, enterprises, medical professionals, lawyers, journalists, educational institutions, and activists.

Dark Caracal has operated a series of multi-platform campaigns starting from at least January 2012, according to our research. The campaigns span across 21+ countries and thousands of victims. Types of data stolen include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.  We believe this actor is operating their campaigns from a building belonging to the Lebanese General Security Directorate (GDGS) in Beirut.

The joint Lookout-EFF investigation began after EFF released its Operation Manul report, highlighting a multi-platform espionage campaign. After investigating related infrastructure and connections to Operation Manul, the Lookout Security Intelligence team concluded that the threat actor also executed a widespread mobile APT campaign on a global scale.

We call this Android malware component "Pallas." Pallas is the first mobile advanced persistent threat (mAPT) we've seen deployed on a global scale. We believe the actors would use Pallas against any target a nation state would otherwise attack, including governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors.

All Lookout customers are protected from this threat. Lookout researchers also worked directly with the Google Android Security Team to address the Android component of this threat within the Android ecosystem. The team was highly responsive and worked to find the malicious apps and protect customers.

"Google has identified the apps associated with this actor, none of the apps were on the Google Play Store. Google Play Protect has been updated to protect user devices from these apps and is in the process of removing them from all affected devices."

How to stay safe

Dark Caracal gets on people's devices through phishing attacks. As always, you should be wary of messages with links in messages, SMS, or emails. These phishing messages are oftentimes well-spoofed, so if you're wondering whether a friend or colleague has sent you a message with a link or attachment, contact them directly to ask if the message is real. Lastly, having Lookout on the device will protect you from malicious apps by alerting you any time a bad app is downloaded to your device. Enterprise IT admins will receive the same kind of alert through Lookout Mobile Endpoint Security.

There are a number of ways you can get more information about this threat and how it might impact your organization today.

Download the report

Download the executive summary of the Dark Caracal report.

Download the full report on Dark Caracal.

In it you will get details on:

  • What Pallas is
  • Who the GDGS is
  • A timeline of Dark Caracal activities
  • Personas used by the attackers
  • Dark Caracal phishing tactics
  • Infrastructure
  • Over 90 indicators of compromise (IOCs)
Attend the webinar

Dark Caracal webinar

Hear directly from Lookout VP of Security Research Michael Murray, Lookout Security Advisory Service Leader Michael Flossman, and EFF Director of Cybersecurity Eva Galperin in this webinar. You'll get firsthand information about the campaigns, mobile and desktop malware, and the overall investigation.

Register Watch the on-demand webinar here.

Contact Lookout

Want to learn about how Dark Caracal could impact your organization specifically or inquire more about our Threat Advisory Services? Contact Lookout today.


Mike Murray,
Vice President, Security Intelligence

Leave a comment