This ZIP Is Like a Matryoshka Doll: Inside — an MSI, inside — a RAT, and inside — your money
One piece of malware has kept Mexico on edge for the fourth year in a row.
One piece of malware has kept Mexico on edge for the fourth year in a row.
Mexican organizations continue to be the target of a persistent cybercrime campaign using modified versions of the AllaKore RAT and SystemBC malware. According to researchers at Arctic Wolf Labs, the group behind the attacks is known as Greedy Sponge, active since early 2021 and motivated purely by financial gain.
For over four years, the attackers have hit a wide range of victims — from agricultural and banking firms to transportation, entertainment, and even government institutions. This broad scope is paired with geographic selectivity: Greedy Sponge operates almost exclusively in Mexico. Analysts believe the campaign’s longevity and minimal infrastructure changes indicate its efficiency.
At the heart of the attacks is a heavily modified AllaKore RAT — a trojan with capabilities like remote control, keylogging, screenshot capture, file upload/download, and now the ability to intercept banking credentials and unique authentication tokens. These are exfiltrated to remote servers for further exploitation.
The first in-depth breakdown of the scheme came in January 2024 from BlackBerry (now part of Arctic Wolf). According to their findings, the infection vector typically begins with phishing emails or malicious ZIP files shared via harmful links. One such file was named Actualiza_Policy_v01.zip, containing a legitimate executable (Chrome Proxy) and a trojanized MSI installer that masks the malware.
The MSI file uses a .NET-based loader, which contacts a remote address (manzisuape[.]com/amw) to fetch the payload and launches a PowerShell script to clean traces. Upon installation, the AllaKore RAT is activated and can fetch secondary malware, such as SystemBC, which turns the infected machine into a SOCKS5 proxy node — allowing attackers to secretly control the system and maintain communication with C2 servers.
Since mid-2024, the campaign has introduced more advanced geofiltering techniques. Previously, regional checks (targeting Mexico) were handled client-side within the MSI's .NET loader. Now, this filtering is server-side, complicating analysis for researchers outside the targeted region.
The threat continues alongside other ongoing attacks. In May 2025, eSentire reported a phishing campaign using a new malware obfuscation service — Ghost Crypt. In this case, a malicious PDF linked to a Zoho WorkDrive folder, which contained an encrypted PureRAT loader. Victims were urged to open the file immediately, after which a DLL was injected into the Windows system process csc.exe using a technique dubbed “process hypnosis.”
Ghost Crypt first surfaced on underground forums in April 2025. It’s designed to bypass Microsoft Defender and supports multiple malware types — from info-stealers like Lumma, StealC, and Rhadamanthys, to loaders and remote access trojans like XWorm, DCRat, and BlueLoader.
Additionally, a new variant of Neptune RAT (aka MasonRAT) is being spread via JavaScript-based lures. This malware is capable of stealing sensitive data, keylogging, screenshotting, deploying clipboard hijackers, and downloading extra DLLs.
Similar attack chains have been observed using Inno Setup-based installers that deploy Hijack Loader (also known as IDAT Loader), which in turn delivers RedLine Stealer, a notorious data theft tool. According to Splunk, this method closely mirrors the behavior of the previously known D3F@ck Loader, including the use of Pascal scripts to initiate payloads.
In summary, Greedy Sponge’s activity demonstrates not only persistence and tactical consistency, but also how small tweaks to infrastructure and malware allow attackers to remain in the shadows for years. Mexico, in this scenario, serves as a kind of testing ground, where financially motivated cybercrime thrives — and, most concerningly, faces little resistance.
