The Sponge Wants the Credentials

A stealthy and financially motivated campaign is sweeping across Latin America—especially Mexico—where the threat actor known as Greedy Sponge, alongside other unnamed groups, has launched a large-scale credential theft operation. Leveraging modified Remote Access Trojans (RATs) like AllaKore, PureRAT, and Hijack Loader, the attackers aim to steal user credentials, maintain remote access, and carry out financial fraud.

This campaign uses phishing emails, trojanized software installers, and crypter-as-a-service tools like Ghost Crypt to bypass detection. With each infection, the attackers expand their access, elevate their privileges, and move further into networks. What appears to be a simple ZIP or MSI file is often the first step in a calculated and well-coordinated fraud operation.

Fake files absorb

The campaign’s victims include a broad range of Latin American organizations—most prominently those in banking, agriculture, public administration, retail, and logistics. Within these institutions, attackers target roles with elevated access: IT professionals, infrastructure staff, and financial administrators. These users often have the keys to corporate data, internal systems, or payment platforms.

The threat actors use phishing messages that impersonate software updates, IT vendors, or even customers. Victims receive ZIP files or PDFs that appear benign but in reality contain RATs and proxy tools. These payloads allow attackers to capture credentials, log keystrokes, take screenshots, and establish command-and-control (C2) channels. The end goal: gain sustained, privileged access to sensitive accounts and assets.

In multiple cases, stolen credentials were used not just for immediate theft but also for deeper fraud schemes—unauthorized transactions, vendor impersonation, and backend access to financial systems.

Into the cavernous loofah

The infection chain begins with simple deception: phishing or social engineering. The attacker sends a ZIP file or a Microsoft Software Installer (MSI) that has been modified to contain malware. These packages are made to look like legitimate update tools, PDFs, or financial documents.

Once executed, the file delivers multiple payloads:

• AllaKore RAT: a lightweight but effective remote tool used for keylogging and screen capture. This allows attackers to record passwords, session tokens, and internal workflows.

• PureRAT: a more robust RAT, typically encrypted using Ghost Crypt to evade antivirus solutions. It provides remote access and control capabilities and can be customized with plugins.

• Hijack Loader: deployed through Inno Setup scripts, this tool acts as a launcher for other malware, allowing flexibility in how the infection chain evolves after the initial breach.

• SystemBC: a proxy tool that creates a secure tunnel between the attacker and the infected machine, masking communications and making it harder to detect ongoing exfiltration.

Once installed, these tools function in tandem. AllaKore provides real-time surveillance, PureRAT offers broader control, Hijack Loader extends the infection, and SystemBC ensures stealth. The “loofah” metaphor is apt: each infected system absorbs more data, more access, and more compromise as the attack progresses.

Dry sponge, credentials protected

Defending against this campaign requires a combination of proactive awareness, strict file filtering, and technical detection. Here are the most effective measures:

• Train staff to verify files and links, especially those labeled urgent or sent by unknown senders. Awareness is the first line of defense.

• Block ZIP, DLL, and MSI files from unknown senders at the email gateway level. If blocking isn’t feasible, quarantine and scan them before allowing delivery.

• Deploy Endpoint Detection and Response (EDR) solutions that can catch:

  • Process injection.

  • Abuse of living-off-the-land binaries (LOLBins).

  • Unexpected use of proxy tools.

• Monitor download sources, especially:

  • Installer tools like Inno Setup.

  • Business services like Zoho.

  • Crypter domains like Ghost Crypt or similar obfuscation platforms.

• Whitelist trusted applications and implement sandbox environments for all new executable files.

• Conduct phishing drills and tabletop simulations to ensure your staff knows what real threats look like.

• Review network logs, focusing on:

  • Unusual outbound traffic.

  • DNS requests to unknown domains.

  • Unauthorized connections to infrastructure systems.

• Implement credential hygiene:

  • Enforce multi-factor authentication (MFA).

  • Rotate high-privilege passwords regularly.

  • Monitor access attempts from unfamiliar IPs or geographies.

The Greedy Sponge campaign demonstrates how attackers can combine low-complexity lures with increasingly sophisticated tooling. What begins with a simple file attachment can end in full administrative control, financial loss, and widespread data exposure. In this threat landscape, the key isn’t just having defenses—but deploying them before the sponge soaks you dry.

https://thehackernews.com/2025/07/credential-theft-and-remote-access.html?m=1