Threat Actors Weaponizes Judicial Documents to Deliver PureHVNC RAT

Between August and October 2025, a sophisticated phishing campaign has emerged targeting Colombian and Spanish-speaking users through deceptive emails masquerading as official communications from Colombia’s Attorney General’s office.

The campaign employs a carefully crafted social engineering strategy, luring victims with notifications about supposed lawsuits processed through labor courts.

This marks a significant shift in attack tactics as threat actors expand PureHVNC deployment into regions previously untouched by this malware.

The attack chain begins when recipients encounter an email containing an SVG attachment that leads them through Google Drive, where clicking on the document triggers an automatic download of a password-protected ZIP archive.

Inside this archive lies a renamed executable disguised with a judiciary-themed filename “02 BOLETA FISCAL.exe”, which is actually a legitimate javaw.exe file repurposed for malicious DLL side-loading.

This initial stage deploys Hijackloader, an increasingly prevalent loader previously observed delivering RemcosRAT to CrowdStrike customers.

IBM X-Force analysts identified this campaign as particularly noteworthy because it represents the first observed instance of PureHVNC being delivered to Spanish-speaking users through such coordinated efforts.

The malware, typically sold on dark web forums and Telegram channels by PureCoder, demonstrates advanced evasion capabilities that separate it from standard remote access trojans.

Infection Mechanism and Persistence

The malware operates through a sophisticated multi-stage infection process designed to evade security detection.

The attack exploits DLL side-loading, where the malicious JLI.dll hijacks Windows’ library loading procedures to inject the second-stage payload MSTH7EN.dll directly into memory using the LoadLibraryW() API function.

This shellcode eventually loads into vssapi.dll through memory manipulation techniques involving VirtualProtect() calls that modify the .text section to PAGE_EXECUTE_READWRITE permissions.

The third-stage payload contains encrypted configuration data including process name hashes that trigger execution delays when security software is detected.

When activated, the malware queries running processes and uses NtDelayExecution() API calls to pause execution, demonstrating awareness of its operational environment.

The complete infection chain ultimately establishes communication with the command server sofiavergara[.]duckdns[.]org, granting attackers complete remote access over compromised systems.

This campaign highlights how judicial and legal themes continue serving as effective social engineering vectors, particularly against government and corporate employees in Latin America.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.