{"id":11427,"date":"2026-03-18T10:03:40","date_gmt":"2026-03-18T10:03:40","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/18\/attackers-abuse-court-documents-github-payloads-to-infect-judicial-targets-with-covert-rat\/"},"modified":"2026-03-18T10:03:40","modified_gmt":"2026-03-18T10:03:40","slug":"attackers-abuse-court-documents-github-payloads-to-infect-judicial-targets-with-covert-rat","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/18\/attackers-abuse-court-documents-github-payloads-to-infect-judicial-targets-with-covert-rat\/","title":{"rendered":"Attackers Abuse Court Documents, GitHub Payloads to Infect Judicial Targets With COVERT RAT"},"content":{"rendered":"

Attackers Abuse Court Documents, GitHub Payloads to Infect Judicial Targets With COVERT RAT
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A new wave of targeted attacks is quietly hitting Argentina\u2019s judicial system, using fake court documents to lure legal professionals into installing a dangerous piece of malware. <\/p>\n

The campaign, formally called Operation Covert Access, deploys a Rust-built Remote Access Trojan known as COVERT RAT via spear-phishing emails that closely mimic genuine federal court communications. <\/p>\n

Once inside a system, the threat gives attackers persistent control over the infected machine and everything stored on it.<\/p>\n

The operation takes direct aim at Argentina\u2019s legal ecosystem \u2014 federal courts, law practitioners, government justice agencies, academic institutions, and advocacy organizations. <\/p>\n

Attackers constructed phishing emails around real Argentine federal court rulings covering preventive detention reviews, knowing that judicial professionals would not question the legitimacy of such documents. <\/p>\n

That careful choice of subject matter is precisely what makes this campaign so effective \u2014 it exploits trust in the legal process rather than relying on curiosity or fear alone.<\/p>\n

Point Wild analysts identified and investigated the operation<\/a>, building on foundational research published by Seqrite. <\/p>\n

Their work provided an in-depth breakdown of the PowerShell execution flow, payload retrieval techniques, and the masquerading methods attackers used throughout each stage. <\/p>\n

The analysis confirmed that this is not a simple one-step attack but a layered intrusion effort crafted to remain unnoticed inside institutional networks for as long as possible.<\/p>\n

The threat goes far beyond basic surveillance. COVERT RAT connects back to a command-and-control server<\/a> at 181.231.253.69:4444, from which attackers can issue encoded instructions covering everything from file theft to ransomware deployment. <\/p>\n

Its modular design supports credential harvesting, privilege escalation, encrypted file operations, and persistent re-access. <\/p>\n

What makes it particularly concerning is its built-in cleanup capability \u2014 when operators are finished, a single command erases every trace of the malware, making post-incident forensics significantly harder.<\/p>\n

\n
\"Execution
Execution flow (Source \u2013 Point Wild)<\/figcaption><\/figure>\n<\/div>\n

The delivery method behind this campaign is deliberately layered. A phishing email drops a ZIP archive containing three components: a Windows shortcut (LNK) file, a batch loader script, and a convincing judicial PDF decoy. <\/p>\n

When the target opens the shortcut, the malicious script runs quietly in the background while the decoy PDF opens normally in the foreground. <\/p>\n

The final payload then hides itself as\u00a0msedge_proxy.exe<\/code>\u00a0within Microsoft Edge\u2019s user data<\/a> folder \u2014 a calculated move to blend in with trusted system processes.<\/p>\n

Multi-Stage Infection Mechanism<\/strong><\/h2>\n

When the recipient opens the shortcut file, named\u00a0juicio-grunt-posting.pdf.lnk<\/code>\u00a0and dressed up with a PDF icon, it silently invokes PowerShell with the execution policy disabled and hidden mode enabled. <\/p>\n

\n
\"Zip
Zip contains LNK, PDF and BAT files (Source \u2013 Point Wild)<\/figcaption><\/figure>\n<\/div>\n

This immediately triggers the batch loader,\u00a0health-check.bat<\/code>, which reaches out to a GitHub-hosted repository and downloads the RAT payload. <\/p>\n

\n
\".bat
.bat file download payload file (Source \u2013 Point Wild)<\/figcaption><\/figure>\n<\/div>\n

Using GitHub as a delivery channel adds perceived legitimacy, since traffic to the platform rarely triggers network-level alerts.<\/p>\n

Once downloaded, the payload executes through PowerShell\u2019s\u00a0Start-Process<\/code>\u00a0command and stores itself as\u00a0msedge_proxy.exe<\/code>.<\/p>\n

\n
\"Dropped
Dropped msedge_proxy.exe file (Source \u2013 Point Wild) <\/figcaption><\/figure>\n<\/div>\n

The malware then runs environment checks \u2014 querying the system manufacturer through WMIC, scanning the tasklist for tools like Wireshark, OllyDbg, and x64dbg, and examining registry paths linked to VMware, VirtualBox, and Hyper-V. <\/p>\n

It also inspects the Process Environment Block (PEB) for active debuggers and measures timing behavior using\u00a0QueryPerformanceFrequency<\/code>\u00a0to catch emulated environments. <\/p>\n

Only when every check passes does the RAT proceed to beacon its C2 server and await operator commands.<\/p>\n

Security teams and individuals working within judicial or legal environments should act on the following:<\/p>\n