A new phishing campaign has emerged in Latin America, using highly convincing Spanish‑language judicial notifications to distribute the AsyncRAT remote access trojan.
Security researchers report that hackers are increasingly hiding their payloads inside SVG (Scalable Vector Graphics) image files. This unconventional yet effective method allows malicious scripts to slip past traditional email gateways and antivirus detection.
The attack specifically targets users in Colombia, exploiting citizens’ trust in government communications and judicial institutions to launch an elaborate, staged infection process.
The campaign begins with a deceptive email disguised as a legitimate message from “Juzgado 17 Civil Municipal del Circuito de Bogotá”, or the 17th Municipal Civil Court of Bogotá. Bogotá, being Colombia’s capital and home to core government operations, provides strong credibility for the lure.
The email, titled “Demanda judicial en su contra – Juzgado 17 Civil Municipal” (“Lawsuit filed against you – 17th Civil Court”), carries a file named “Fiscalia General De La Nacion Juzgado Civil 17.svg” as an attachment.
The body text mimics the official tone of a judicial notice, claiming that a lawsuit has been filed and instructing the recipient to review the attached legal documents.
Once opened, the SVG file loads a malicious JavaScript routine through an onclick event tied to a function named openDocument().
This function decodes a base64‑encoded segment that produces a fake Attorney General’s Office webpage, which urges the victim to download an “official document.”
When the user clicks the link, an HTML Application (HTA) file named DOCUMENTO_OFICIAL_JUZGADO.HTA is retrieved from an attacker‑controlled server and executed locally. This marks the first stage of the multi‑tier payload chain.
The HTA file holds layers of obfuscation with long strings of random text to hinder analysis and includes a base64 blob that extracts actualiza.vbs, a Visual Basic script.
This VBS script executes a PowerShell downloader, veooZ.ps1, which connects to a dpaste.com URL to fetch a further encoded payload, Ysemg.txt. After cleaning and decoding this text, the script generates a .NET assembly named classlibrary3.dll, which acts as a loader.
Its job is to fetch two additional modules, an injector and the final AsyncRAT binary, and inject the RAT directly into MSBuild.exe, a trusted Microsoft process, aiding stealth and persistence.
Researchers observed anti‑analysis countermeasures embedded within the loader, including VirtualBox and VMware process checks, XOR and bit‑shifting algorithms to decrypt strings, and behavior‑based logic that determines whether to establish persistence by adding registry Run entries or startup shortcuts.
This design allows the malware to survive system reboots and maintain covert operations for extended periods.
Upon execution, AsyncRAT grants remote control to the attacker, enabling keylogging, command execution, webcam access, and credential theft. It ensures persistence by creating scheduled tasks or registry entries based on privilege level and obfuscates communications via TLS‑encrypted MessagePack data exchanges with its command‑and‑control servers.
Researchers confirmed additional behaviors, such as terminating process monitoring tools like Taskmgr.exe and ProcessHacker.exe, employing anti‑VM detection, and using Amsi bypass routines to defeat script‑level scanning.
Detection rates for malicious SVG attachments remain critically low across multiple security engines, making this campaign a powerful demonstration of how social engineering and fileless malware techniques converge.
By embedding multi‑layered downloaders in seemingly innocuous vector graphics, threat actors have created an attack pathway that undermines traditional content filtering systems. This approach exploits the emotional response to urgent legal notifications, a timeless and effective social engineering tactic.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
