This threat involves a targeted phishing campaign aimed at Colombian users, leveraging a judicial notification theme to increase credibility. The initial infection vector is a malicious .SVG file attachment embedded in phishing emails, which exploits the ability of SVG files to execute scripts. Upon opening, the SVG triggers a chain of scripts including HTA (HTML Application), VBS (Visual Basic Script), and PowerShell, which work together to download and execute the AsyncRAT malware. AsyncRAT is a remote access trojan capable of stealing sensitive information, maintaining persistence by injecting itself into MSBuild.exe (a legitimate Microsoft build tool), and establishing encrypted C2 channels for remote control. The malware also supports dynamic plugin loading, enabling attackers to extend functionality post-infection. The campaign uses anti-VM and anti-debugging techniques to avoid sandbox detection and employs obfuscation to hinder analysis. It impersonates the Colombian Attorney General's Office, using localized and institutional details to increase the likelihood of user interaction. The attack chain covers multiple MITRE ATT&CK techniques such as T1566.001 (phishing), T1053.005 (scheduled task), T1543 (service creation), T1055 (process injection), T1071 (C2 communication), and T1547.001 (registry run keys), among others. Although no CVEs or known exploits are linked, the campaign's sophistication and multi-stage execution make it a notable threat. The campaign is currently focused on Colombia but the techniques and malware could be adapted for other regions.

For European organizations, the direct impact is currently limited given the campaign's geographic targeting of Colombia. However, the use of highly evasive techniques and a powerful RAT like AsyncRAT poses a significant risk if similar phishing lures or malware variants are adapted for European targets. Successful infections could lead to data theft, espionage, credential compromise, and long-term persistence within networks. The injection into MSBuild.exe allows the malware to blend with legitimate processes, complicating detection and remediation. If attackers localize the phishing lure to European judicial or governmental institutions, the risk of successful compromise increases. The campaign's ability to dynamically load plugins means attackers can tailor payloads to specific targets, potentially impacting critical infrastructure, government agencies, or enterprises handling sensitive data. The use of anti-VM and obfuscation techniques further complicates detection by traditional security tools, increasing dwell time and potential damage. European organizations with weak email filtering, insufficient user awareness training, or inadequate endpoint detection capabilities are most at risk.

European organizations should implement advanced email filtering solutions capable of detecting and blocking malicious attachments, including less common file types like .SVG and .HTA. Deploy endpoint detection and response (EDR) tools with behavioral analytics to identify suspicious script execution, process injection, and unusual MSBuild.exe activity. Enforce strict application whitelisting and restrict execution of scripting engines (PowerShell, VBS) to only authorized users and contexts. Conduct targeted phishing awareness training emphasizing the risks of opening attachments from unknown or unexpected sources, especially those impersonating judicial or governmental bodies. Regularly audit scheduled tasks, services, and registry run keys for unauthorized persistence mechanisms. Implement network segmentation and monitor outbound traffic for anomalous C2 communications, particularly those matching AsyncRAT patterns. Use threat intelligence feeds to update detection signatures based on known hashes and indicators of compromise (IOCs) associated with this campaign. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential infections.