A sophisticated spear-phishing campaign has emerged targeting Argentina’s judicial sector, exploiting trust in legitimate court communications to deliver a dangerous Remote Access Trojan.
The campaign uses authentic-looking federal court documents about preventive detention reviews to trick legal professionals into downloading malware.
Security experts have classified this attack as highly targeted, employing multi-stage infection techniques to gain long-term access to sensitive legal and institutional systems.
The attack begins when recipients receive emails containing a ZIP archive that appears to be an official judicial notice.
Inside the archive, attackers have planted a weaponized Windows shortcut file disguised as a PDF, along with a batch script loader and a legitimate-looking court resolution document.
Once the victim clicks on what appears to be a standard PDF file, the malicious execution chain activates while simultaneously displaying a convincing decoy document to avoid suspicion.
This social engineering technique makes the attack particularly effective against judicial personnel who routinely handle court-related documents.
Seqrite analysts identified this campaign and uncovered its sophisticated multi-stage delivery mechanism.
The research team discovered that the malware specifically targets Argentina’s legal sector, including judicial institutions, legal professionals, and government bodies connected to the justice system.
.webp "New Spear Phishing Attack Leveraging Argentine Federal Court Rulings to Covert RAT for Remote Access 3")
The decoy document mimics authentic Argentine federal court resolutions with remarkable precision, featuring formal legal Spanish, proper case numbering, judicial signatures, and references to real institutions like the Tribunal Oral en lo Criminal y Correccional.
This level of detail significantly increases the campaign’s success rate among its intended victims.
Infection Mechanism: From Shortcut to RAT Deployment
The attack uses a three-stage infection process designed to evade detection. The weaponized LNK file launches PowerShell in hidden mode, bypassing execution policies to run a batch script that connects to GitHub-hosted infrastructure.
.webp "New Spear Phishing Attack Leveraging Argentine Federal Court Rulings to Covert RAT for Remote Access 4")
This script downloads a second-stage payload disguised as “msedge_proxy.exe,” stored in the Microsoft Edge user data directory to appear legitimate.
The final payload is a Rust-based Remote Access Trojan equipped with extensive anti-analysis capabilities.
.webp "New Spear Phishing Attack Leveraging Argentine Federal Court Rulings to Covert RAT for Remote Access 5")
The RAT performs comprehensive environment checks before execution, scanning for virtual machines, sandboxes, and debugging tools. If analysis tools are detected, the malware immediately terminates to avoid investigation.
Once operational, it establishes encrypted command-and-control communication, offering attackers capabilities including file exfiltration, persistence installation, credential harvesting, and even ransomware deployment through modular DLL components.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
