Phishing Campaign Using SVG Smuggling to Deliver AsyncRAT via Fake Colombian Judicial Notifications
A sophisticated phishing campaign has been identified targeting users in Colombia by impersonating official judicial notifications from the 17th Municipal Civil Court of the Bogotá Circuit. The attackers crafted emails in Spanish, leveraging local institutional details to increase the credibility of the lure. The phishing emails claim to contain a lawsuit notification and prompt recipients to open an attached SVG file. This SVG file is weaponized to initiate a multi-stage infection chain. Upon opening, the SVG file triggers the execution of a malicious HTA (HTML Application) file, which is a common technique for bypassing traditional email security filters. The HTA file then executes a VBS (Visual Basic Script) file, which in turn runs a PowerShell script. This PowerShell script acts as a downloader and loader, ultimately injecting the AsyncRAT remote access trojan into a legitimate Windows process to evade detection. AsyncRAT is a well-known remote access tool that allows attackers to gain persistent control over infected systems, exfiltrate data, and potentially deploy additional payloads. The campaign employs anti-virtual machine techniques to avoid analysis and uses persistence mechanisms to maintain access on compromised hosts. Security researchers have observed that the use of SVG files for initial infection is increasing, as these files can bypass some security controls due to their perceived harmlessness. The campaign demonstrates a high level of technical sophistication, chaining multiple scripting languages and file types to obfuscate the attack and evade endpoint detection. The malicious files have been identified and their MD5 hashes documented for threat intelligence sharing. Detection signatures have been updated by security vendors such as Quick Heal and Seqrite to identify and block the components of this attack. The campaign is notable for its targeted approach, focusing on Colombian users and leveraging local judicial terminology to increase the likelihood of success. The use of AsyncRAT as the final payload provides attackers with extensive capabilities for surveillance, data theft, and further lateral movement within affected organizations. Security teams are advised to educate users about the risks of opening unexpected attachments, especially those purporting to be from legal or government institutions. Organizations should also ensure that email security solutions are updated to detect SVG-based threats and that endpoint protection is capable of identifying the multi-stage infection chain. The incident highlights the evolving tactics of threat actors in using file formats and social engineering tailored to specific regions and institutions.
Sources
Related Stories
Multiple RAT Delivery Campaigns Using Phishing and Trojanized Software
Security researchers reported several unrelated **remote access trojan (RAT)** delivery campaigns using different initial access vectors and lures. Seqrite Labs described “**Operation Covert Access**,” a spear‑phishing operation targeting Argentina’s judiciary with a ZIP attachment containing a convincing court-resolution decoy; execution is triggered by a malicious `LNK` masquerading as a PDF, which launches hidden PowerShell to fetch additional stages from a GitHub repository, culminating in a custom **Rust-based RAT** that attempts to blend in by renaming itself (e.g., `msedge_proxy.exe`). Separately, AhnLab Security Intelligence Center reported South Korea-focused activity distributing **RemcosRAT** through illegal online gambling-related tools and trojanized *VeraCrypt* installers, using embedded malicious VBS scripts and a multi-stage chain that ultimately deploys a RAT capable of surveillance and data theft (e.g., keylogging, screenshot/webcam/mic capture, credential/data harvesting). Another campaign documented by ReliaQuest abused **LinkedIn private messages** to deliver a bundled legitimate application alongside a malicious DLL for **DLL sideloading**, enabling RAT deployment under the guise of a trusted process; the reporting emphasized that social platforms can serve as effective phishing channels beyond email and that the technique is portable to other commonly used business messaging platforms.
1 months agoBlindEagle Phishing Campaign Targets Colombian Government Agencies
BlindEagle, a South American threat group, orchestrated a sophisticated phishing campaign targeting Colombian government agencies, specifically those under the Ministry of Commerce, Industry and Tourism (MCIT). The attackers leveraged compromised internal email accounts to send convincing phishing emails that impersonated the Colombian judicial system, using legal terminology and official formatting to increase credibility and urgency. The emails contained SVG attachments with encoded HTML, leading recipients to a fraudulent web portal designed to mimic the legitimate judicial branch. The attack chain was highly complex and file-less, involving multiple stages of JavaScript execution and PowerShell commands, with each stage using advanced obfuscation techniques such as Base64 and custom algorithms to evade detection. Zscaler analysts identified that the campaign represented a significant escalation in BlindEagle's tactics, moving beyond basic malware to a multi-stage, stealthy infection process that exploited trust relationships within the targeted organizations. The campaign highlights the evolving threat posed by BlindEagle to government entities in Colombia.
2 months agoEmail and typosquatting campaigns delivering RAT malware via trojanized installers and malicious JPEG payloads
Multiple active malware delivery campaigns are using social engineering and trusted-looking artifacts to install **remote access trojans (RATs)**. One campaign impersonates the popular Chinese antivirus *Huorong Security* via a typosquatted domain `huoronga[.]com`, routing downloads through an intermediary domain and serving a trojanized NSIS installer from Cloudflare R2; the payload is **ValleyRAT**, described as built on the **Winos4.0** framework and attributed to the Chinese-speaking **Silver Fox** threat group. The infection chain is designed to look legitimate end-to-end (convincing website, normal installer UX) while deploying a full-featured backdoor with stealth and injection capabilities. Separately, email-borne campaigns are abusing attachments and “benign” file types to smuggle malware. Fortinet-reported activity uses phishing lures (e.g., payment or bank-document themes) with Excel attachments exploiting `CVE-2018-0802` to launch scripts that download a JPEG containing embedded **XWorm 7.2**, then uses **process hollowing** (e.g., into `Msbuild.exe`) and connects to a C2 at `berlin101.com` over port `6000` with AES encryption. SANS ISC also documented a similar “malicious JPEG” technique observed in the wild, where a large, heavily obfuscated JScript attachment (delivered in a GZIP wrapper) attempts persistence by copying itself to the Startup folder and participates in a chain that ultimately leverages payloads embedded in JPEGs; the message spoofing failed DMARC/SPF checks, which would likely lead to quarantine in many environments.
3 weeks ago