Cybercriminals Exploit Judicial Documents to Deploy PureHVNC RAT in Latin America
Between August and October 2025, a sophisticated phishing campaign emerged, targeting Colombian and Spanish-speaking users. Attackers impersonated Colombia’s Attorney General’s office, sending deceptive emails that falsely notified recipients of lawsuits processed through labor courts.
This campaign signifies a notable shift in cyberattack strategies, as threat actors have expanded the deployment of the PureHVNC Remote Access Trojan (RAT) into regions previously untouched by this malware.
Attack Chain Overview
The attack initiates when recipients receive an email containing an SVG attachment. Clicking on this attachment redirects them to a Google Drive link, which automatically downloads a password-protected ZIP archive. Within this archive is an executable file named 02 BOLETA FISCAL.exe, disguised to appear as a legitimate judiciary document. In reality, this file is a repurposed version of javaw.exe, a legitimate Java process, exploited for malicious DLL side-loading.
Upon execution, this file deploys HijackLoader, a loader previously observed delivering RemcosRAT to various targets. IBM X-Force analysts have identified this campaign as the first instance of PureHVNC being delivered to Spanish-speaking users through such coordinated efforts. PureHVNC, typically sold on dark web forums and Telegram channels by a developer known as PureCoder, exhibits advanced evasion capabilities that distinguish it from standard remote access trojans.
Infection Mechanism and Persistence
The malware employs a multi-stage infection process designed to evade security detection:
1. DLL Side-Loading: The malicious JLI.dll hijacks Windows’ library loading procedures to inject the second-stage payload, MSTH7EN.dll, directly into memory using the LoadLibraryW() API function.
2. Memory Manipulation: The shellcode loads into vssapi.dll through memory manipulation techniques involving VirtualProtect() calls that modify the .text section to PAGE_EXECUTE_READWRITE permissions.
3. Evasion Tactics: The third-stage payload contains encrypted configuration data, including process name hashes that trigger execution delays when security software is detected. The malware queries running processes and uses NtDelayExecution() API calls to pause execution, demonstrating awareness of its operational environment.
Ultimately, the infection chain establishes communication with the command server sofiavergara[.]duckdns[.]org, granting attackers complete remote access over compromised systems.
Implications and Recommendations
This campaign underscores the effectiveness of judicial and legal themes as social engineering vectors, particularly against government and corporate employees in Latin America. The use of official-looking documents and trusted platforms like Google Drive enhances the credibility of the phishing attempts, increasing the likelihood of successful infections.
Recommendations for Mitigation:
– User Education: Organizations should conduct regular training sessions to educate employees about recognizing phishing attempts, especially those leveraging official-looking documents and trusted platforms.
– Email Filtering: Implement advanced email filtering solutions to detect and block emails with suspicious attachments or links.
– Endpoint Protection: Deploy robust endpoint protection solutions capable of detecting and mitigating multi-stage malware infections.
– Regular Updates: Ensure that all software and systems are regularly updated to patch known vulnerabilities that could be exploited by such malware.
By adopting these measures, organizations can enhance their defenses against sophisticated phishing campaigns and protect their systems from advanced malware threats like PureHVNC RAT.
