Between August and October 2025, a tightly targeted phishing campaign tricked Colombian and other Spanish-speaking users into opening what looked like official court notices, Cyber Security News reports.
The lure in this instance, is lawsuits and labor-court paperwork. The bait was believable, and the fallout was full system access.
Victims received emails that masqueraded as messages from Colombia’s Attorney General’s office. Each message carried an SVG attachment. That file pointed to a Google Drive preview.
Click the preview and a download begins. The download is a password-protected ZIP. Inside sits an executable with a judiciary-themed name. It looks official, but it isn’t.
A Mutating Chain
Researchers at IBM X-Force say the executable is a renamed javaw.exe used for DLL side-loading. That technique lets a malicious DLL be loaded in place of a legitimate library.
In this case, JLI.dll is the puppet master. It hijacks the system’s library loading and pushes a second-stage payload into memory. From there, the chain mutates again. The final stage opens a backdoor to a command server.
The loader in the opening act is Hijackloader. X-Force notes Hijackloader has been seen before delivering other RATs, including Remcos. Here, it acts as the delivery vehicle for PureHVNC, a remote access trojan sold on underground forums and Telegram channels by a seller known as PureCoder.
Crucially, researchers say this is the first time they have observed PureHVNC being distributed in coordinated campaigns aimed at Spanish-speaking users.
When the Coast is Clear
The attacker uses LoadLibraryW() to force MSTH7EN.dll into memory. Then the payload manipulates memory permissions with VirtualProtect() to make code executable. The third-stage payload carries an encrypted config. It looks for certain process name hashes. If it detects security tooling, it will delay using NtDelayExecution().
Simply put, the malware watches for defenders and waits until it thinks it is safe to run. When ready, it phones home to a DuckDNS domain and hands the attacker full remote control.
Why the legal theme? Judicial and government lures work well in Latin America. People expect official paperwork to arrive by email. They expect urgency, and they click.
The campaign exploited that trust and turned it into an access vector. X-Force warns that government and corporate employees are particularly at risk.
What Defenders Should Do
Treat unexpected judicial attachments as hostile. Do not preview unknown SVGs. Train staff to verify legal notices through official channels, and scan ZIPs and executables in a sandbox before opening. Monitor for processes that exhibit suspicious memory manipulation or long, unexplained sleeps. Finally, block known command domains and watch for unusual outbound traffic.
The campaign shows how a single believable email can become a full compromise. It is small in scope but high in consequence.
An API Era Risk
Glyn Morgan, Country Manager, UK&I, of Salt Security, says this has all the hallmarks of an API era risk.
“Attackers use judicial documents to gain entry points which enables them to access internal APIs and test endpoints and exploit authentication weaknesses and authorisation flaws and rate limit vulnerabilities.”
He says every organization needs to focus on three essential security measures: “Complete API inventory management, authenticated traffic behavioural monitoring and function-level authorisation enforcement to detect lateral movement and business logic abuse at the beginning of an attack.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.