Listen to this Post

Introduction
This article explains a recent Latin American phishing campaign that weaponizes SVG image files to deliver AsyncRAT, a powerful remote access trojan. The attackers use convincing Spanish-language judicial notices aimed at Colombian recipients, chaining multiple obfuscated stages to evade detection and achieve persistence. Below you will find a condensed, faithful summary of the original report, followed by an independent, detailed analysis under the heading What Undercode Say:, a short fact-check summary, and forward-looking predictions.
Summary of the campaign (concise, single-paragraph overview)
Researchers discovered a targeted phishing campaign that preys on Colombians by posing as official court correspondence from “Juzgado 17 Civil Municipal del Circuito de Bogotá,” with subject lines warning of a formal lawsuit. The malicious attachment is an SVG image named to appear official, for example “Fiscalia General De La Nacion Juzgado Civil 17.svg.” When opened, the SVG runs JavaScript through an onclick handler that decodes base64 content to produce a fake Attorney General web page, tricking victims into downloading an HTA file named DOCUMENTO_OFICIAL_JUZGADO.HTA from an attacker server. That HTA contains heavily obfuscated code and a base64 blob that extracts a VBS script, which in turn runs a PowerShell downloader, retrieving an encoded payload from a remote location. After decoding the payload, the scripts create a .NET assembly loader, classlibrary3.dll, which fetches an injector module and the AsyncRAT binary. The loader includes anti-analysis checks such as VirtualBox and VMware process detection, and employs XOR and bit shifts to decrypt strings, plus logic that decides whether to create persistence through registry Run entries or startup shortcuts. The injected AsyncRAT is executed inside MSBuild.exe to blend with legitimate processes, allowing attackers to log keys, execute commands, access webcams, steal credentials, and maintain encrypted MessagePack/TLS communications with C2 servers. The campaign also includes Amsi bypass techniques and routines that terminate monitoring tools like Taskmgr.exe or ProcessHacker.exe, while security engines show low detection rates for SVG attachments. By embedding multi-stage, fileless downloaders inside a seemingly benign vector graphic and leveraging urgent legal language, the attackers combine social engineering and layered obfuscation to bypass conventional email filtering and endpoint defenses, achieving stealth and long-term persistence.
What Undercode Say: (analytical deep dive)
The campaign illustrates a shift in attacker tradecraft toward abusing seemingly innocuous file formats to deliver complex, multi-stage malware. SVG is a plaintext, XML-based vector format, and its ability to contain inline scripts makes it attractive for social engineering. Embedding JavaScript inside an SVG allows an attacker to rely on the recipient’s familiarity with image files while leveraging browser or viewer behaviors that execute onclick handlers or render embedded HTML content. The use of judicial theming is a classic psychological lever, it amplifies urgency and leverages trust in state institutions, especially in a country where official communications are routinely acted upon without scrutiny. The multi-tier architecture—SVG → HTA → VBS → PowerShell → .NET loader → injected RAT—shows deliberate design to evade layered detection. Each stage serves a specific defensive purpose: early stages are human-facing and social-engineering-centric, mid-stages add obfuscation and downloader logic, and late stages focus on stealth and persistence by injecting into trusted processes. Injecting into MSBuild.exe is a deliberate tactic to hide within a signed or legitimate process, benefiting from process whitelisting and reduced scrutiny, particularly in enterprise environments where developer tools and build processes are common. Anti-analysis checks such as VirtualBox/VMware detection and runtime string decryption indicate that the threat actors expect researchers and sandboxing tools, and they aim to alter behavior accordingly so as not to reveal full capabilities during analysis. The use of dpaste.com or similar paste services as a staging host for encoded payloads shows an operational preference for blending malicious traffic with legitimate web services, further complicating network-based detections. From an operational security perspective, the campaign demonstrates discipline: the attacker separates the human social-engineering vector from the payload hosting infrastructure, and uses multiple obfuscation layers to increase cost and time for forensic recovery. For defenders, this means a two-pronged response is required. First, improve content filtering and parsing logic to analyze XML-based image formats for embedded scripts, and treat SVG with the same suspicion as active documents. Second, strengthen user-facing controls and training focused on high-risk lures such as legal and government notices, emphasizing verification steps before opening attachments or clicking links. Endpoint defenses should be hardened to detect anomalous child processes spawned from viewers or document handlers, and to flag unusual parent-child process relationships, for example an image viewer leading to HTA execution. Detection rules should incorporate behavioral indicators present here: the sequence of HTA → VBS → PowerShell, presence of base64 blobs followed by dynamic assembly creation, attempts to spawn or tamper with MSBuild.exe, and network calls to paste services retrieving encoded blobs. On the remediation side, focus on isolating affected hosts, dumping memory for injected assemblies, and tracking persistence mechanisms such as registry Run keys, scheduled tasks, and startup shortcuts. Organizationally, court-themed phishing demands tailored awareness campaigns for personnel who regularly interact with legal notices, such as HR, finance, and administrative teams. Finally, the low detection rates for SVGs suggests vendors need to update signature and heuristic engines to parse and sandbox SVG content, not only Windows executable wrappers. Collaborative intelligence sharing between national CERTs, email gateway providers, and antivirus vendors would accelerate the deployment of Yara rules and network indicators to disrupt the attackers’ hosting and C2 domains. campaign is not novel in effect, but it is notable for combining old social engineering with modern, fileless, and multi-stage obfuscation, making it a resilient playbook that will likely be reused and adapted.
Fact Checker Results
✅ The campaign used SVG attachments with embedded JavaScript to initiate the infection chain.
✅ AsyncRAT was delivered via a multi-stage chain including HTA, VBS, PowerShell, and a .NET loader.
❌ There is no evidence in the source material that the campaign exploited a zero-day vulnerability; the attack relies on social engineering and script execution. 🔍
Prediction 📊
Attackers will increasingly weaponize XML-capable formats such as SVG and OOXML to bypass content filters, because these formats let them blend active script with benign-seeming files. Expect copycat campaigns that reuse judicial or tax-themed lures in Spanish and Portuguese across Latin America, and more use of legitimate web services for payload staging. Defenders who update gateways to sanitize or block active content inside images, and who deploy behavioral rules for chains like HTA → PowerShell → .NET loader, will raise the attacker’s operational cost and force them to change tactics. 🔮
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




