Court-Themed Phishing Used by Hackers to Spread Info-Stealer Malware

“Hackers are now using court-themed phishing techniques to distribute info-stealer malware to trap innocent people.”

Scalable Vector Graphics (SVG) files and judicial notices have been weaponized in a new phishing attempt that targets Colombian users.

A well-crafted email in Spanish that poses as the “17th Municipal Civil Court of the Bogotá Circuit,” complete with formal legal language and institutional information, is the first step in this complex attack.

By tricking victims into starting a multi-step infection chain, the “Fiscalia General De La Nacion Juzgado Civil 17.svg”.SVG attachment introduces the AsyncRAT remote access Trojan (RAT) into a trusted Windows process using in-memory injection.

By mentioning Bogotá’s municipal civil court and giving a fictitious notice of legal action, the phishing email mimics the format of an official court notice.

 The Spanish text on its body reads: “Adjunta demanda presentada en su contra.” El Circuito de Bogotá, Juzgado 17 Civil Municipal, September 11, 2025. Specifically, the Judiciary Notification System.

 

 

The attackers circumvent initial suspicion by using regional trust cues to invoke the capital’s court system. In contrast to pixel-based formats, the accompanying SVG file includes XML-based instructions with an onclick handler:

 The embedded JavaScript decodes a Base64-encoded HTML blob when the user clicks on the image, causing it to open as a phony consultation portal for the “Attorney General’s Office” and prompting the victim to download an HTA file that seems like an official document.

Multi-stage Dropper Chain

A client-side dropper is inadvertently executed by the user when they click “DOWNLOAD DOCUMENTO_OFICIAL_JUZGADO.HTA.” The HTA decodes a sizable Base64 block into actualiza.vbs and conceals its malicious payload inside trash code.

 

The PowerShell downloader (veooZ.ps1) created and executed by this Visual Basic script retrieves a text file (Ysemg.txt) from a server under the control of the attacker.

 Classlibrary3.dll is the result of the script cleaning and decoding the file by substituting placeholder characters.

 As a module loader, the .NET DLL decodes and writes an injector component, gets the AsyncRAT payload, and injects AsyncRAT into MSBuild.exe using .NET reflection.

 The loader looks for VirtualBox and VMware processes and stops if it finds analysis environments to prevent sandbox detection.

 Additionally, it supports the registry for optional persistence mechanisms. Run keys or startup shortcuts; however, the registry approach was not used in this campaign.

 

 

QuickHeal/Seqrite identified the SVG file in the attachment during the campaign’s analysis.

 To protect against such complex threats, security teams that are aware of strange SVG activities and enforce stringent email attachment regulations are crucial.

AsyncRAT Payload Capabilities

In the context of MSBuild.exe, AsyncRAT runs totally in memory after arriving as a .NET program. System information, hardware identifiers, operating system version, user privileges, installed antivirus software, and webcam availability are first gathered.

 The file is substantially obfuscated, and the obfuscated data are decoded using a loop of XORing and shifting operations.

 

 

It looks for elevated privileges to decide on a persistence method, such as writing to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ or scheduling a task when operating as an administrator. Otherwise, run.

The RAT looks for monitoring tools (Taskmgr.exe, ProcessHacker.exe) to stop them and uses anti-analysis and anti-VM checks, including AMSI bypass techniques.

 In addition to dynamically loading plugins and exfiltrating stolen data bundled with MessagePack, it creates a TLS-encrypted channel to its command-and-control server. Keylogging, file management, remote shell execution, and webcam surveillance are further features that AsyncRAT offers.

 Many conventional defenses are effectively circumvented by this campaign, which conceals harmful code in an SVG and chains it through HTA, VBS, and PowerShell.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Read More :

178,000+ Invoices from the Invoicely Platform Reveal Customer Information

About Author