New Malware Campaign Targeting Spanish Language Victims

Cofense identified Poco RAT, a Delphi-based Remote Access Trojan active since early 2024 targeting Spanish-language victims—primarily in the Mining sector—via phishing emails that deliver Google Drive-hosted 7zip archives. The malware establishes persistence (registry), injects into grpconv.exe, contacts C2 at 94.131.119.126 (ports 6541–6543) with geo-based responses favoring Latin America, includes anti-analysis features and rich EXIF metadata, and can download and execute additional payloads, making it a capable delivery mechanism for other malware.