CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Malware & Threats

“Packrat” Threat Group Targets Latin America

A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries.

A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries.

The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.

Packrat Activity

Researchers believe Packrat began its activity in 2008 and up until 2013 it used various pieces of malware to targeted users in Brazil, although there are no confirmed victims from this period.

Packrat activity was also observed in 2014 when the attackers planted the Java-based RAT known as AlienSpy on the Android phone of Alberto Nisman, a controversial Argentine lawyer who was killed in January 2015. Police in Argentina uncovered the RAT, which had been disguised as a harmless document file, on Nisman’s phone after his death. Reports later surfaced about the same malware being used to target Argentine journalist and writer Jorge Lanata, and Maximo Kirchner, son of Argentina’s President Cristina Fernandez.

In 2015, according to experts, Packrat appears to have focused its activities on Ecuador, where it has targeted the government, government opponents, journalists, and parliamentarians. The group has also targeted Venezuela and the Venezuelan diaspora.

Packrat Tools and Methods

The threat group is known to have used malware in attacks aimed at users in Brazil and Argentina. In attacks aimed at Venezuela, the attackers mainly appear to have focused on spreading false information using bogus opposition groups and news websites. In Ecuador, Packrat leveraged not only malware and fake organizations, but also SMS and email-based phishing attacks. Researchers have found several public reports of phishing and malware attacks in Ecuador that they have managed to tie to Packrat.

Advertisement. Scroll to continue reading.

Experts have uncovered a total of 30 malware samples and 12 command and control (C&C) domains used by the group. Shared C&C infrastructure and other clues have allowed researchers to link malicious activity in several Latin American countries to Packrat.

The attackers have mainly relied on off-the-shelf malware to compromise victims’ machines and steal information. Between 2008 and 2013, Packrat used the RATs known as CyberGate and XtremeRAT, and in 2014-2015 they started using AlienSpy and Adzok. While these are known malware families, the attackers attempted to avoid detection by adding a layer of obfuscation using tools such as AutoIt3Wrapper, UPX, PECompact, PEtite, and Allatori Obfuscator.

The malware was in many cases delivered via emails containing specially crafted documents or links pointing to malicious websites.

As for phishing attacks, experts have observed both political and non-political campaigns. The threat group sometimes targeted regular email accounts, such as Gmail, while in other cases they set up phishing pages designed to mimic government portals.


Most of the evidence, although in many cases circumstantial, suggests that the attackers — who at one point during the investigation started communicating with the researchers, making threats in an effort to convince them to back off — are sponsored by one or more nation states.

This hypothesis is based on the nature of the targets, the politically-themed disinformation campaigns, the high financial costs of maintaining the attack infrastructure, and the fact that they haven’t shut down their servers after being exposed, which suggests that they are not afraid of authorities. If this theory is correct, the attackers could work for a single intelligence or security service, or they could be mercenaries working for one or multiple governments.

On the other hand, it’s also possible that Packrat is a criminal group or an entity with political ambitions. This is largely based on the fact that the threat actor hasn’t used any technically sophisticated tools or ones known to be leveraged by governments for espionage (e.g. FinFisher, Hacking Team products). However, the use of less sophisticated methods and tools by APT actors is not unheard of, particularly in the Middle East.

“Packrat highlights the extent to which multi-year campaigns can be run using limited technical sophistication, and a lot of creativity. From a technical perspective, they rely almost entirely on off-the-shelf RATs and packers to evade antivirus detection. Where they excel is in the time and effort spent to create detailed and moderately convincing fake organizations to seed their malware,” Citizen Lab explained in its report.

“Their persistence, and their willingness to keep using domains even after they are exposed suggests that exposure of their infrastructure is not an existential threat. Their threats and taunts are similarly brazen. This strongly suggests, but does not prove, that Packrat operates with a perception of safety,” experts noted.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.