The campaign leverages judicial document themes to distribute Hijackloader malware, which subsequently deploys PureHVNC remote access trojan (RAT)—marking the first observed instance where this combination has been used against Spanish-speaking users in Latin America.
The campaign represents a significant tactical shift for threat actors operating in the region. Hijackloader, previously documented in campaigns targeting CrowdStrike customers with RemcosRAT delivery, has now been repurposed to distribute PureHVNC, a malware-as-a-service tool actively sold on underground forums and Telegram channels.
Between August and October 2025, IBM X-Force identified a sophisticated campaign targeting Colombian users through emails impersonating the country’s Attorney General’s office.
Between August and October 2025, IBM X-Force identified This convergence of established attack infrastructure with emerging payload delivery demonstrates the evolving threat landscape facing LATAM organizations.
Threat actors crafted convincing emails falsely claiming to originate from Colombia’s Attorney General’s office, informing recipients that lawsuits have been filed by former employees and are pending processing before labor courts.
The emails include SVG file attachments designed to be opened in Google Drive, providing victims with a sense of legitimacy while obscuring the malicious nature of the payload.
When victims click on the document preview or attempt to download the file through Google Drive, they receive a ZIP archive containing multiple files, including a password-protected executable.
The password is prominently displayed on the download completion page, encouraging victims to extract and execute the malicious binary.
This social engineering approach exploits trust in judicial processes and official communications—psychological tactics particularly effective in high-context cultures where legal correspondence commands immediate attention and compliance.
Multi-Stage Infection Chain
The infection chain begins with DLL side-loading, a technique that abuses Windows library loading mechanisms. Hijackloader renames a legitimate javaw.exe file with a judiciary-themed name (“02 BOLETA FISCAL.exe”) and places a malicious JLI.dll in the same directory.
When the renamed executable launches, Windows loads the modified DLL from the local directory instead of the system path, establishing the initial foothold for malware execution.
Subsequent stages involve sophisticated loader functionality. The malware decrypts encrypted configurations stored in temporary files, performs anti-analysis checks including virtual machine detection and debugger identification, and implements code injection techniques to load PureHVNC into legitimate system processes.
The malware employs multiple evasion strategies, including stack spoofing to mask API call origins, unhooking of security monitoring hooks installed by antivirus software, and timing-based anti-debugging mechanisms that measure instruction latency to detect analytical environments.
The shellcode is then loaded into vssapi.dll, which is the DLL specified in the malware’s configuration.
Hijackloader’s modular architecture enables customizable behavior through configuration flags. The malware supports multiple persistence mechanisms, including scheduled task creation and startup folder shortcuts, ensuring continued access across system reboots.
Its anti-virtualization routines detect sandbox environments by querying physical memory, processor counts, and hypervisor signatures, automatically terminating if insufficient resources suggest an analysis environment.
The malware incorporates UAC bypass capabilities through both legitimate privilege escalation methods and COM interface exploitation, enabling lateral movement and privilege elevation when running with standard user permissions.
Its injection methods vary based on configuration parameters, supporting process hollowing, thread context hijacking, and NTFS transacted file techniques to execute payloads while evading memory-based detection systems.
Expanding Threat Landscape
X-Force’s analysis demonstrates that threat actors are increasingly combining established delivery mechanisms with emerging payload toolkits to target LATAM regions.
The use of PureHVNC—a commercially available RAT typically associated with cybercriminal services—suggests either a shift toward more accessible malware-as-a-service offerings or collaboration between established Hijackloader operators and criminal entities offering RAT deployment services.
Organizations in Colombia and throughout Latin America should implement advanced email filtering, disable SVG preview functionality in cloud storage services, and deploy behavioral analysis tools capable of detecting DLL side-loading and process injection techniques.
User awareness training emphasizing verification of official communications through direct contact with source organizations remains critical for mitigating social engineering attacks targeting judicial and governmental authorities.
Indicators of compromise
| Indicator | Indicator Type | Context |
|---|---|---|
| troquelesmyj[@]gmail.com | Sender email | |
| nuevos777[.]duckdns[.]org | Domain | C2 Domain |
| 7octubredc[.]duckdns[.]org | Domain | C2 Domain |
| dckis13[.]duckdns[.]org | Domain | C2 Domain |
| dckis7[.]duckdns[.]org | Domain | C2 Domain |
| enviopago[.]mysynology[.]net | Domain | C2 Domain |
| maximo26[.]duckdns[.]org | Domain | C2 Domain |
| sofiavergara[.]duckdns[.]org | Domain | C2 Domain |
| hxxps[:]//drive[.]google[.]com/file/d/1haApB_GMwZb83nw1YPdIDTLMtksRjkh/view?pli=1 | URL | SVG Host |
| hxxps[:]//drive[.]google[.]com/file/d/1wzunPhL33jq_ZQug6k03hgxi4Eu57VfN/view?usp=sharing | URL | SVG Host |
| e7120d45ee357f30cb602c0d93ed8d366f4b11c251c2a3cd4753c5508c3b15e5 | SHA256 | ZIP |
| 7e64102405459192813541448c8fbadc481997a2065f26c848f1e3594ca404c9 | SHA256 | RAR |
| 14becb3a9663128543e1868d09611bd30a2b64c655dfb407a727a7f2d0fb8b7e | SHA256 | Hijackloader |
| 57c49cff3e71bc75641c78a5a728509007a18032510f607c042053c9d280511 | SHA256 | Hijackloader |
| 7c3d9ad3f1bd890e3552dc67093e161395d4e1fab79ec745220af1e19a279722 | SHA256 | Hijackloader |
| ce42377d3d26853fd1718f69341c0631208138490decc8e71a5622df5e9e1f59 | SHA256 | Hijackloader |
| a0e4979b4e4a706286438d480e21b0d92cc7bd40c1c3ea5b9872089aaec0124 | SHA256 | Hijackloader |
| 6d93a486e077858b75eb814e9a7bda181189d5833adce7cec75775cfda03f514 | SHA256 | Hijackloader |
| bdca9849d7263d508b7ed4dbbf86bd628932b117b45933cb28a7e78171d05cdd | SHA256 | Hijackloader |
| 1ae61edf35127264d329b7c0e2bddb7077e34cc5f9417de86ab6d2d65bad4b4f | SHA256 | Hijackloader |
| 2ec31a8a36d73fa8354a7ac039506dbe12638a0dc1b900f57620b8d53ae987f | SHA256 | Hijackloader |
| 776bbaa44c7788e0ccd5945d583de9473b6246c44906692cb0a52e6329cb213a | SHA256 | Hijackloader |
| 9e9997b54da0c633ffcf0a4fb94e67b482cf7a89522d1b254778d0c6c22c70ee | SHA256 | Hijackloader |
| b2f733b67f1ef06d9e5ce76d3cc848f6e7e3ec2d0c363c765175c6cf85f979b | SHA256 | Hijackloader |
| c93e70d20ba2948a6a8a013df68e5c4d14d59e5f549417d1a76833bd1c8efd22 | SHA256 | Hijackloader |
| d550a2a327394148c0c3d05df2fe0156783fc313b4038e454f9aa2cb2f0f2090 | SHA256 | Hijackloader |
| e668ca17fcdfa818aac35f12064d10a0288d7d9c6b688966b695125b760567d6 | SHA256 | Hijackloader |
| fe6d0ee45a70359008b2916e5116c411a955978b5694cc457683ab7b26590e47 | SHA256 | Hijackloader |
| 977f2f18ff13c93406c5702f83c04a9412760e02028aefc7c1cb7d6f2797a9b5 | SHA256 | Hijackloader |
| 768ca38878c5bb15650343ce49292315a9834eaf62fad14422d52510c3787228 | SHA256 | Hijackloader |
| 47245b7d2d8cb6b92308deb80399e0273193d5bca39da85a6b2a87a109d18d85 | SHA256 | Hijackloader |
| 4484b0ac51536890301a0e6573b962e069e31abc4c0c6f0f6fc1bf66bf588a93 | SHA256 | Hijackloader |
| 0113d9f3d93069a29458b3b4c33610aae03961014df60a9e859f3104086d886a | SHA256 | Hijackloader |
| 22d474e729d600dcd84ce139f6208ce3e3390693afa7b52b0615174fca6d0fe2 | SHA256 | Hijackloader |
| 2cbfc482e27a2240a48d2fb66f740ff0f08598f83ae643a507c6f12a865dc28 | SHA256 | Hijackloader |
| 96ee786c5b6167c0f0f770efbace25e97d61e127ef7f58a879b6cf4b57e202c3 | SHA256 | Hijackloader |
| 33d0c63777882c9ec514be062612a56fdb1f291fcb6676c49480d3cd4501c508 | SHA256 | Hijackloader |
| afecefa6d9bd1e6d1c92144209eda320e1fe0f196ffa8e8bc114e7d3a25503f6 | SHA256 | PureHVNC |
| 85641c8fb94e8e4c5202152dcbb2bb26646529290d984988ecb72e18d63c9bc5 | SHA256 | PureHVNC |
| 1bf3a1cf9bc7eded0b8994d44cf2b801bf12bc72dc23fb337ddd3a64ac235782 | SHA256 | PureHVNC |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
