Bandook RAT
Bandook RAT is Windows malware reported as being used extensively by the Dark Caracal cyber-espionage campaign. In the provided content, Dark Caracal is described as a multi-platform, APT-level surveillance operation targeting individuals and institutions across more than 21 countries, including governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors. The campaign is described as relying on social media, phishing, and in some cases physical access to compromise targets. The content does not provide a technical teardown of Bandook RAT itself, but it does directly associate the malware with Dark Caracal’s Windows operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Dark Caracal makes extensive use of Windows malware called Bandook RAT."
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Windows remote access trojan used by the Dark Caracal cyber-espionage campaign (as referenced in the content). No additional technical details are provided in this text beyond its use by the actor.
Windows remote access trojan used by the Dark Caracal espionage campaign for surveillance/remote control.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.