Ddos 
In early May 2025, IBM X-Force researchers observed an active phishing campaign targeting Colombian users with fake legal notices. The campaign, attributed to the financially motivated threat actor Hive0131, delivers the DCRat remote access trojan (RAT) via cleverly disguised emails impersonating the Civil Circuit of Bogotá Judiciary.
“Hive0131 is a financially motivated group likely originating from South America that routinely conducts campaigns largely in Latin America (LATAM) to deliver a wide array of commodity payloads,” IBM reported.
The attack begins with phishing emails disguised as electronic notifications of criminal proceedings. Two infection vectors were identified:
- A PDF lure containing a TinyURL that redirects to a ZIP archive.
- A Google Docs link leading to a password-protected ZIP archive.
Both ultimately initiate the execution of the DCRat malware in memory, avoiding detection by traditional antivirus tools.
“The ZIP archive contains benign files as well as a malicious JavaScript file… that downloads a JavaScript payload from a paste[.]ee site and executes it,” the report explains.
One of the key components in this campaign is VMDetectLoader, an obfuscated .NET-based loader responsible for unpacking and executing DCRat. According to IBM, “VMDetectLoader… has the ability to determine if it’s running in a sandbox environment.”
This custom loader is based on the open-source VMDetector project, designed to avoid execution on virtual machines commonly used by security researchers.
“It prints a list of host attributes to the console if a VM is detected,” including BIOS, motherboard, disk drive, and Windows service indicators.
DCRat (short for Dark Crystal RAT) is a Malware-as-a-Service platform sold on underground forums for as little as $7 per two-month subscription. Though budget-friendly, it packs advanced capabilities:
- Bypasses AMSI (Antimalware Scan Interface)
- Records audio and video
- Downloads and executes commands
- Modifies registry keys
- Steals clipboard and keystroke data
- Encrypts files
- Maintains persistence via scheduled tasks or registry keys
IBM X-Force highlighted that: “DCRat’s presence is widespread and has become increasingly popular in LATAM since at least 2024.”
VMDetectLoader employs process hollowing, injecting DCRat into legitimate Windows processes like MSBuild.exe from the .NET Framework. This technique is used to blend in with normal system activity.
“The function responsible for process injection is named HackForums.gigajew.x64.Load() for 64-bit samples,” the report reveals.
Though Hive0131 is generally linked to malware families like NjRAT and QuasarRAT, IBM notes an uptick in DCRat usage in this specific campaign. The group joins others in the region such as:
- Hive0148 & Hive0149: Distributors of the Grandoreiro banking trojan
- Hive0153: Known for delivering Adwind and SambaSpy
“IBM X-Force assesses that Latin America will continue to face targeting from threat actors seeking to deploy banking trojans via phishing campaigns,” the report concludes.
Related Posts:
- Beware of “Cheats” and “Cracks”: DCRat Backdoor Lurks on YouTube
- Bypassing Security: DCRat Deployed via HTML Smuggling
- Sandworm APT Exploits Trojanized KMS Tools to Target Ukrainian Users in Cyber Espionage Campaign
- Blind Eagle’s Rapid Adaptation: New Tactics Deployed Days After Patch
- BlindEagle APT Targets Colombian Insurance with BlotchyQuasar RAT
Donate