Ddos 
Infection Chain of Campaign | Image: Seqrite
Seqrite Threat Research Labs has uncovered a targeted phishing campaign in Spanish designed to trick Colombian users with fake judicial notifications, using malicious SVG attachments to deploy AsyncRAT, a remote access Trojan capable of espionage and data theft.
According to the report, “There has been a significant increase in the use of SVG files in malware campaigns. These harmless-looking files can hide harmful scripts that hackers use to launch sneaky phishing attacks.”
The campaign impersonates Colombia’s judicial system, specifically referencing “Juzgado 17 Civil Municipal del Circuito de Bogotá” (17th Municipal Civil Court of Bogotá), to convince victims to open the attachment. Seqrite noted that “The campaign demonstrates the use of geographical and institutional details to make the phishing lure look more legitimate and trustworthy to the targeted victim.”
Victims receive an email purporting to be a lawsuit notification, written in formal Spanish legal language.
The attachment, “Fiscalia General De La Nacion Juzgado Civil 17.svg”, appears to be a harmless image but contains embedded JavaScript that initiates the malware chain. When opened, the SVG launches a fake Attorney General’s Office webpage that prompts the user to download an “official document.” Clicking the download button retrieves a malicious HTA file, continuing the infection chain.
Seqrite described the flow succinctly:
“The campaign leverages SVG, HTA, VBS, and Powershell stages to download and decode a loader, which finally injects AsyncRAT into a legitimate Windows process, evading detection.”
SVG Stage – The SVG file contains an embedded JavaScript function named openDocument(), which decodes Base64 data into a temporary HTML blob and opens it in a new browser tab. This initiates a fake document viewer mimicking the “Rama Judicial” portal, complete with a progress bar animation to simulate an official download.
HTA Stage – The HTML file forces a download of DOCUMENTO_OFICIAL_JUZGADO.HTA, which contains heavily obfuscated code and a large Base64 blob. This blob decodes into a Visual Basic dropper named actualiza.vbs.
VBS Stage – The script writes an encoded PowerShell downloader (veooZ.ps1) to disk. It uses obfuscation techniques like replacing characters (“9&” instead of “A”) to hinder detection.
PowerShell Stage – The PowerShell script connects to a dpaste domain to retrieve a text file named Ysemg.txt, which contains an encoded .NET DLL (ClassLibrary3.dll). This loader module is decoded, written to disk, and executed.
Injection Stage – The DLL loads an injector component and performs in-memory injection of AsyncRAT into MSBuild.exe, a trusted Windows process.
The .NET loader incorporates multiple anti-analysis and anti-virtualization checks, terminating execution if VMware or VirtualBox processes are detected.
Persistence is achieved by creating PowerShell registry entries or shortcut files in the Windows startup folder, depending on parameter flags. Seqrite noted:
“The Powershell script adds the VBS file in run registry to maintain persistence. Similarly, it drops .lnk shortcut file in the startup folder.”
Once injected, AsyncRAT provides full remote access, capable of data theft, surveillance, and execution of arbitrary commands. Seqrite described AsyncRAT as “a remote access Trojan (RAT) written in C#. It provides typical RAT and data-stealing functions such as keystroke logging, executing or injecting additional payloads, and command-and-control.”
Among its advanced capabilities, AsyncRAT:
- Creates scheduled tasks for persistence if running with admin privileges.
- Stores autorun registry entries for non-admin users.
- Performs AMSI bypass and anti-debugging checks.
- Detects webcams for spying or surveillance.
- Kills monitoring tools such as Task Manager and Process Hacker.
- Gathers detailed system information (HWID, OS version, privileges, antivirus, etc.) and sends it to the attacker’s C2 via TLS-encrypted MessagePack objects.
This campaign’s focus on Spanish-language lures, Colombian judicial branding, and local institutional references suggests a regionally focused threat actor using social engineering and legal impersonation to enhance credibility.
Seqrite warns that SVG-based malware poses a rising threat vector:
“SVGs enable attackers to stay FUD (Fully Undetected), as many traditional security solutions do not check these files for malicious code.”
Related Posts:
- Apple Leverages Supreme Court Ruling to Fight App Store External Payment Links Mandate
- NordDragonScan: New Infostealer Hits Via Weaponized HTAs, Stealing Browser Data & Documents!
- SVG Phishing Surge: How Image Files Are Being Weaponized to Steal Credentials
- SVG Files Weaponized: Phishing Attacks Embed HTML Code
- Secureserver.net Domain Abused in Widespread Banking Trojan Attacks
Donate