Threat Actor Profile
High APT
Description

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)

Confidence Score
90%
Known Aliases
Dark Caracal
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (12)
T1005 - Data from Local System
Collection
T1113 - Screen Capture
Collection
T1071.001 - Web Protocols
Command and Control
T1027.002 - Software Packing
Defense Evasion
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1218.001 - Compiled HTML File
Defense Evasion
T1083 - File and Directory Discovery
Discovery
T1059.003 - Windows Command Shell
Execution
T1204.002 - Malicious File
Execution
T1189 - Drive-by Compromise
Initial Access
T1566.003 - Spearphishing via Service
Initial Access
T1547.001 - Registry Run Keys / Startup Folder
Persistence
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Dark Caracal'],
 'created': '2018-10-17T00:14:20.652Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Dark Caracal](https://attack.mitre.org/groups/G0070) is '
                'threat group that has been attributed to the Lebanese General '
                'Directorate of General Security (GDGS) and has operated since '
                'at least 2012. (Citation: Lookout Dark Caracal Jan 2018)',
 'external_references': [{'external_id': 'G0070',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0070'},
                         {'description': '(Citation: Lookout Dark Caracal Jan '
                                         '2018)',
                          'source_name': 'Dark Caracal'},
                         {'description': 'Blaich, A., et al. (2018, January '
                                         '18). Dark Caracal: Cyber-espionage '
                                         'at a Global Scale. Retrieved April '
                                         '11, 2018.',
                          'source_name': 'Lookout Dark Caracal Jan 2018',
                          'url': 'https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf'}],
 'id': 'intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12',
 'modified': '2024-04-11T02:42:07.325Z',
 'name': 'Dark Caracal',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'mobile-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.4'}
Quick Actions
Related TTPs (12)
Data from Local System
Collection
Screen Capture
Collection
Web Protocols
Command and Control
Software Packing
Defense Evasion
Encrypted/Encoded File
Defense Evasion
View All 12 TTPs
Back to Threat Actors
Dashboard Home