This repository contains a JADX decompilation of the CrossRAT jar file that is used by the threat group Dark Caracal, to infect Windows, macOS and Linux users. Initial decompilation was conducted on a Ubuntu 22.04 machine using the Jadx-GUI tool.
Dark Caracal designated as G0070 by Mitre, is a threat group that has been attributed to a Lebanese intelligence agency. Dark Caracal uses this custom made RAT written in Java for attacking its victims typically through having the user run a malicious document file. Dark Caracal also has conducted a large Android malware campaign by using a suite a trojanized applications, this malware is known as Pallas.
The repository serves as repo for analyzing the CrossRAT jar based on previous analysis listed below.
TODO once more analysis is done.
For CrossRAT samples and in depth analysis check out: JAMF Blog: Analyzing CrossRAT
To download a version of Jadx check out: skylot/jadx
For more information on the Dark Caracal group check out: Dark Caracal, Cyber-Espionage at a Global Scale
This repository contains code that if compiled could be malicious. Although some sanitization has been done (such as modifying C2 url's), proceed with caution when working and compiling the source files.