Phishing Campaign Using SVG Smuggling to Deliver AsyncRAT via Fake Colombian Judicial Notifications

A sophisticated phishing campaign has been identified targeting users in Colombia by impersonating official judicial notifications from the 17th Municipal Civil Court of the Bogotá Circuit. The attackers crafted emails in Spanish, leveraging local institutional details to increase the credibility of the lure. The phishing emails claim to contain a lawsuit notification and prompt recipients to open an attached SVG file. This SVG file is weaponized to initiate a multi-stage infection chain. Upon opening, the SVG file triggers the execution of a malicious HTA (HTML Application) file, which is a common technique for bypassing traditional email security filters. The HTA file then executes a VBS (Visual Basic Script) file, which in turn runs a PowerShell script. This PowerShell script acts as a downloader and loader, ultimately injecting the AsyncRAT remote access trojan into a legitimate Windows process to evade detection. AsyncRAT is a well-known remote access tool that allows attackers to gain persistent control over infected systems, exfiltrate data, and potentially deploy additional payloads. The campaign employs anti-virtual machine techniques to avoid analysis and uses persistence mechanisms to maintain access on compromised hosts. Security researchers have observed that the use of SVG files for initial infection is increasing, as these files can bypass some security controls due to their perceived harmlessness. The campaign demonstrates a high level of technical sophistication, chaining multiple scripting languages and file types to obfuscate the attack and evade endpoint detection. The malicious files have been identified and their MD5 hashes documented for threat intelligence sharing. Detection signatures have been updated by security vendors such as Quick Heal and Seqrite to identify and block the components of this attack. The campaign is notable for its targeted approach, focusing on Colombian users and leveraging local judicial terminology to increase the likelihood of success. The use of AsyncRAT as the final payload provides attackers with extensive capabilities for surveillance, data theft, and further lateral movement within affected organizations. Security teams are advised to educate users about the risks of opening unexpected attachments, especially those purporting to be from legal or government institutions. Organizations should also ensure that email security solutions are updated to detect SVG-based threats and that endpoint protection is capable of identifying the multi-stage infection chain. The incident highlights the evolving tactics of threat actors in using file formats and social engineering tailored to specific regions and institutions.