Inside the Shadows: Greedy Sponge’s Relentless Cyber Siege on Mexico

Listen to this Post

Featured Image

Mexican Sectors Under Siege: A Campaign with Financial Intent

Cybersecurity experts have uncovered a disturbing pattern: Mexican organizations are once again under attack by a persistent and financially motivated hacking group dubbed Greedy Sponge. According to researchers at Arctic Wolf Labs, this campaign, active since early 2021, shows no signs of slowing down. The hackers are deploying heavily customized versions of the AllaKore Remote Access Trojan (RAT) and SystemBC, targeting sectors such as banking, manufacturing, transportation, retail, entertainment, and even public institutions.

The modus operandi of the attackers revolves around phishing emails and drive-by downloads, often packed inside ZIP archives camouflaged as legitimate updates. These archives contain a Chrome proxy executable and a trojanized MSI installer, which discreetly deploy the AllaKore RAT. The malware is packed with invasive tools like keylogging, screen capturing, file transfers, and remote control capabilities.

This malicious campaign has evolved over time. Earlier, geofencing (targeting only Mexican systems) was embedded in the MSI downloader. As of mid-2024, this check has shifted server-side, further obscuring its tracks. SystemBC, another payload in the attackers’ arsenal, transforms infected Windows systems into SOCKS5 proxies, making it easier for threat actors to communicate covertly.

A noteworthy development is the reappearance of AllaSenha (a.k.a CarnavalHeist) — a variant of AllaKore RAT targeting Brazilian banks, which was exposed earlier in 2024 by Cisco Talos and HarfangLab.

The infrastructure used by Greedy Sponge has shown remarkable consistency, suggesting operational success. While the group isn’t considered highly sophisticated, their persistence and narrow geographical targeting make them uniquely dangerous.

Adding fuel to the fire, eSentire identified a May 2025 phishing campaign leveraging a new Crypter-as-a-Service tool dubbed Ghost Crypt, which was advertised by cybercriminals in April 2025. The tool has the ability to bypass Microsoft Defender, delivering a cocktail of malware including PureRAT, StealC, DCRat, and XWorm.

Also worth noting is the emergence of a new Neptune RAT (MasonRAT) variant, using JavaScript lures to install spyware, clipper malware, and trojans. Meanwhile, attackers are increasingly exploiting Inno Setup’s Pascal scripting to deploy Hijack Loader, a notorious delivery system for RedLine stealer, which harvests sensitive data like login credentials and payment info.

🧠 What Undercode Say: Analytical Breakdown of the Threat Campaign

A Well-Orchestrated Financial Espionage Network

The Greedy Sponge operation exemplifies a calculated, slow-burning cybercrime model. Rather than launching mass global attacks, they favor surgical strikes against Mexican and Latin American targets, allowing them to maintain control, avoid detection, and continually refine their methods.

Highly Adaptive Malware Ecosystem

The deployment of AllaKore RAT, SystemBC, and tools like Ghost Crypt reflects the group’s technical agility. Each component is strategically selected for its strength: AllaKore for deep system infiltration, SystemBC for secure C2 routing, and Ghost Crypt to obfuscate malicious payloads.

The server-side geofencing change demonstrates growing sophistication. By handling location restrictions on the server rather than the client, the group avoids early detection by security researchers running sandbox analyses.

Operational Success through Repetition

Despite lacking nation-state-level tools or advanced exploits, Greedy

Expansion into Crypter Services and Malware-as-a-Service (MaaS)

The rise of Ghost Crypt shows how underground cybercrime is turning into a full-fledged service economy. Criminals no longer need to build complex loaders or evasion tools from scratch. Crypter services like this allow low-skill actors to launch devastating attacks with minimal effort.

This transformation is evident in the ease with which attackers now deploy PureRAT, StealC, and RedLine—malware strains that once required more manual effort. With plug-and-play loaders, cybercriminals are becoming more efficient and dangerous.

Risk to Critical Mexican Infrastructure

Given that Greedy Sponge has already attacked commercial services, capital goods, and public sector organizations, it’s plausible they could escalate to national infrastructure in the future. If they target utilities, telecommunications, or transportation systems, the fallout could cripple essential services and impact millions.

Latin

Much of Latin

The Real Danger Lies in the Shadows

The most chilling element of this campaign isn’t just the RATs or loaders, but the longevity and invisibility of Greedy Sponge’s operations. Their quiet but constant evolution underscores a larger issue: cybercrime in Latin America is underreported, under-investigated, and vastly underestimated.

✅ Fact Checker Results

AllaKore RAT has been documented in Latin America by multiple vendors including Cisco Talos and HarfangLab.
Ghost Crypt was publicly advertised on cybercrime forums in April 2025, confirming its authenticity.
The campaign’s Mexican focus and financial motivation is validated by Arctic Wolf’s multi-year analysis.

🔮 Prediction

Greedy Sponge is likely to expand beyond Mexico in the next 6–12 months, possibly targeting other under-defended Latin American countries like Peru, Colombia, or Argentina. We also predict increased adoption of Crypter-as-a-Service tools like Ghost Crypt by other financially driven groups, leading to more stealthy, modular cyberattacks across the region. Expect to see a rise in RAT variants, improved anti-analysis methods, and cross-border attacks on financial institutions.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin