LinkedIn Tracking

Report links Global Espionage Campaign to Lebanese Spy Agency

Dark Caracal nsi cyber security large

Mobile security firm Lookout, Inc. and the Electronic Frontier Foundation, a digital rights group, have reported that a major hacking operation linked to one of Lebanon’s intelligence agencies has been exposed online. The Trojanised apps, including Signal and WhatsApp, operate as legitimate apps and send and receive messages normally. The fake/spoofed apps allow the attackers to take photos, retrieve location information, capture audio, intercept messages and calls, send SMS texts to an attacker specified number, deleted attacker specified files, and more.

What is Dark Caracal?

Dark Caracal is a persistent and prolific virus which has been operating since 2012. It is a spyware campaign that is administered through the spread of fake Trojan apps such as Signal, Telegram, Threema, WhatsApp, and more. It has been designed to steal your personal and private information. Dark Caracal uses a custom-developed spy tool called Pallas, along with FinFisher (which is created by a company that makes lawful interception tools regularly abused by other nation-state actors), Bandook RAT and other tools that are purchased or rented from the Dark Web. The Trojanised apps look and operate the same as the real apps. If you have installed apps located on Google’s Play Store than you are probably safe. Most of the victims received an invite through SMS or email that was deliberately sent to them in a spear-phishing campaign designed to target them. Dark Caracal targets include individuals and entities that a nation state may attack, such as governments, military, utilities, financial institutions, defence contractors, and manufacturing companies.

dark caracal mobile

The current iteration of Dark Caracal is being linked to a Lebanese intelligence agency and appears to use shared infrastructure which has been linked to other nation-state actors.  At the time of writing, research has indicated that hundreds of gigabytes of data from more than 21 countries have been leaked online.  Data that has been uncovered includes data associated with military personnel, medical professionals, activists, journalists, lawyers, and so on. Dark Caracal is not limited to mobile use. It is being used across mobile and desktop platforms through Trojanised Android apps.

Researchers also found that Dark Caracal’s spy tool, Pallas, is in Trojanised versions of apps that allow users to protect themselves online, namely Psiphon VPN, and Orbot: TOR Proxy. It has also been found in Adobe Flash Player and Google Play Push for Android. Read the full report here.

How can you protect yourself?

Victims were tricked into visiting websites or downloading apps by SMS or emails, or by fake Facebook profiles. Other victims may have had the virus installed on their devices physically when they were away from their phones or computers.

This type of attack uses phishing, spear-phishing (target phishing attacks), and social engineering, to attack people. Phishing attacks deceive you into giving up your passwords or installing malware. Attackers can use malware to remotely control your device, spy on you, or steal information. Phishing attacks convince people by tricking them into:

  • Clicking on a link;
  • Opening a document;
  • Installing software; or
  • Entering your username and password into a webpage that looks like a legitimate page.

Following the below steps helps to keep you safe from these types of attacks:

  • Always keep your software updated
  • Verify emails with senders
  • Do not download files unless verified by the sender. If possible, open suspicious documents in Google Drive
  • Do not click on links in SMS texts or emails unless you verify them

How can NSI help?

If you think your mobile device is compromised, our team of forensic examiners can help. Utilising law enforcement specification forensic hardware we can find spyware and malware threats on your mobile devices. We are able to produce legally admissible reports and give you the peace of mind in knowing your device is either compromised or not. Visit our Forensic Spyware and Malware Analysis page for more information.

About NSI

NSI is an Australian owned Global Geopolitical Risk and Counter Intelligence Advisory Firm. NSI has an interdisciplinary team of employees and partners in strategic locations around the globe.


The world is moving at an extremely fast pace, and as such, risks to your information and business are rising. Information from you or your business is a major asset to others, especially identity thieves or competitors. Events of cyber-attack, cyber espionage, ransomware, insider threat and Hacktivism are often reported by the media. Many security-related breaches have been reported over the past 12 months and Australia is not immune to this trend. Most of these events were the result of a weakness/vulnerability in either people, technology or a process. NSI provides specialist network, computer and information technology security consulting which is centred on risk analysis, assessment, and management of IT Security Risks.

Our Best in Class Services include:

  • Global Geopolitical Risk Advisory
  • Counterintelligence Services
  • Complete Organisational Security Risk Auditing
  • Technical Surveillance Counter Measures
  • Digital Forensic and Corporate Investigations
  • Cyber Countermeasures
  • Global Immediate Response Teams

Our experts have provided consultation, and have been interviewed numerous times by major media outlets such as:

  • Channel 7 News
  • The Sydney Morning Herald
  • 60 Minutes
  • The Daily Telegraph
  • Today Tonight
  • ABC Radio
  • A Current Affair
  • Sky Business News
  • Xinhua News China

NSI is called upon for its expertise by corporations in the Mining, Oil and Gas industries, Financial Institutions, Insurance companies, Law and Accounting firms, Government agencies and High Net-Worth individuals. Our services are available globally with local offices in Sydney, Canberra, Dubai, and Hong Kong. To book a confidential consultation, feel free to contact our team.

Share This Article: