Between August and October 2025, a sophisticated phishing campaign has emerged targeting Colombian and Spanish-speaking users through deceptive emails masquerading as official communications from Colombia\u2019s Attorney General\u2019s office.<\/p>\n
The campaign employs a carefully crafted social engineering strategy, luring victims with notifications about supposed lawsuits processed through labor courts.<\/p>\n
This marks a significant shift in attack tactics as threat actors expand PureHVNC deployment into regions previously untouched by this malware.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9bLaFgsgswomHQiXgcFm5tjhvZx3sqx7yO6rM8Y3l_F-cRcQ65IAZJUWqaqTTKrdnUVjYs6npHbkL9gutF_JTn9lAD0ZAttQesLEx8gredE9fnGROuvpBE52r6AiVr2FNSSDH2smEjwiEJeNJEzH6P92gYi0TnmW_nRGkvvvKQcadSy_mveMALqOnz6I\/s16000\/Example%2520email%2520%28Source%2520-%2520IBM%29.webp?ssl=1\")
The attack chain begins when recipients encounter an email containing an SVG attachment that leads them through Google Drive, where clicking on the document triggers an automatic download of a password-protected ZIP archive.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjPIX6n5hcx7VtszYwRXyDsjyAsiWjMcVe-13AmysUwdfx_3pynMR_j-zO1o8Yg5fmPVXX9opwhn1OEKdFm_RQVGb9TaaTuWOyHaADpnZ3GLaA9NWI0SQo2CAInBBKnobdsTg0Pd3aHgSUdbhVNAqhMH953FJFagHOrf8uZI6GU_n6lr5L6GMM0ZfncvyM\/s16000\/7%2520ZIP%2520archive%2520contents%2520%28Source%2520-%2520IBM%29.webp?ssl=1\")
Inside this archive lies a renamed executable disguised with a judiciary-themed filename \u201c02 BOLETA FISCAL.exe\u201d, which is actually a legitimate javaw.exe file repurposed for malicious DLL side-loading<\/a>.<\/p>\n This initial stage deploys Hijackloader, an increasingly prevalent loader previously observed delivering RemcosRAT to CrowdStrike customers.<\/p>\n IBM X-Force analysts identified<\/a> this campaign as particularly noteworthy because it represents the first observed instance of PureHVNC being delivered to Spanish-speaking users through such coordinated efforts.<\/p>\n The malware, typically sold on dark web forums and Telegram channels by PureCoder, demonstrates advanced evasion capabilities that separate it from standard remote access trojans<\/a>.<\/p>\n The malware operates through a sophisticated multi-stage infection process designed to evade security detection.<\/p>\n The attack exploits DLL side-loading, where the malicious JLI.dll hijacks Windows\u2019 library loading procedures to inject the second-stage payload MSTH7EN.dll directly into memory using the LoadLibraryW() API function.<\/p>\n This shellcode eventually loads into vssapi.dll through memory manipulation techniques involving VirtualProtect() calls that modify the .text section to PAGE_EXECUTE_READWRITE permissions.<\/p>\n The third-stage payload contains encrypted configuration data including process name hashes that trigger execution delays when security software is detected.<\/p>\n When activated, the malware queries running processes and uses NtDelayExecution() API calls to pause execution, demonstrating awareness of its operational environment.<\/p>\n The complete infection chain ultimately establishes communication with the command server sofiavergara[.]duckdns[.]org, granting attackers complete remote access over compromised systems<\/a>.<\/p>\n This campaign highlights how judicial and legal themes continue serving as effective social engineering<\/a> vectors, particularly against government and corporate employees in Latin America.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Threat Actors Weaponizes Judicial Documents to Deliver PureHVNC RAT<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInfection Mechanism and Persistence<\/strong><\/h2>\n