The Judicial Decoy: Sophisticated Rust RAT Infiltrates Argentina’s Federal Courts

A highly sophisticated, multi-stage cyber infection chain has been uncovered targeting the heart of Argentina’s legal infrastructure. Analysts from the Lat61 Threat Intelligence Team have identified a campaign that combines precision spear-phishing with advanced evasion techniques to deploy a covert Remote Access Trojan (RAT) written in the Rust programming language.

The operation specifically targets federal courts, legal practitioners, and government agencies by exploiting trust in official communications.

The attack begins with carefully crafted spear-phishing emails containing a compressed ZIP archive. To ensure a high success rate, the threat actors use legitimate Argentine federal court rulings—specifically those concerning preventive detention reviews—as lures.

Inside the archive, the victim finds what appears to be a standard PDF document. However, the “document” is actually a weaponized LNK shortcut disguised with a PDF icon.

“The campaign demonstrates notable sophistication, combining spear-phishing tactics with authentic-looking judicial content”.

When the user clicks the file, a dual-action execution occurs: a legitimate-looking judicial PDF decoy opens in the foreground to keep the user unsuspecting, while a malicious BAT-based loader script quietly triggers the infection chain in the background.

The malware is designed with a “stealth-first” philosophy. The loader invokes PowerShell with the -ep bypass and -w hidden flags to circumvent security policies and remain invisible to the user.

Once the final payload, health-check.exe, is downloaded from a GitHub-hosted resource, it masquerades as msedge_proxy.exe within the Microsoft Edge user data directory to blend into the system environment.

The sophistication of this RAT is most evident in its anti-analysis routines. Before fully activating, the malware performs several checks:

• Virtualization Detection: It queries registry keys and scans for files associated with VMware, VirtualBox, and Hyper-V.
• Process Scanning: It checks the system’s tasklist for monitoring tools like Wireshark, OllyDbg, and Process Monitor.
• Debugger Checks: It utilizes the IsDebuggerPresent flag and performs timing tests to detect breakpoint delays or emulators.

“The executable exhibits extensive anti-VM, anti-sandbox, and anti-debugging techniques, terminating its execution immediately if it detects artifacts associated with analysis environments”.

Once the RAT confirms it is running on a genuine host, it establishes a resilient Command-and-Control (C2) channel with fallback support for both IPv4 and IPv6. The Trojan features a modular architecture, allowing attackers to dynamically load and execute Base64-encoded commands.

C2 Command	Action Description
PERSIST	Establish persistence mechanisms (e.g., task scheduler, startup entries)
PERSIST_REMOVE	Eliminate existing persistence methods
BEACON	Send a heartbeat or re-beacon signal to the C2 server
DOWNLOAD	Retrieve a file from the C2 server to the host
UPLOAD	Transfer a file from the host back to the C2 server
HARVEST	Collect and exfiltrate data from the victim system
ENCRYPT	Apply encryption to specified files
DECRYPT	Restore encrypted files to their original state
ELEVATE	Attempt to gain higher privilege levels on the system

The team’s analysis highlights that despite its name, the DOWNLOAD command actually functions as a file-stealing mechanism to exfiltrate data back to the attacker.

The primary objective of this campaign appears to be long-term infiltration and the harvesting of sensitive institutional and legal data.