This threat involves a targeted phishing campaign conducted between August and October 2025 against Colombian users. Attackers impersonated the Attorney General's office to lure victims into downloading a malicious file. The infection chain begins with the Hijackloader malware loader, which is used to deliver the PureHVNC Remote Access Trojan (RAT). PureHVNC is a remote access tool that allows attackers to gain persistent, unauthorized access to infected systems. The campaign employs advanced evasion and persistence techniques, including DLL side-loading—a method where a legitimate application loads a malicious DLL to evade detection—and anti-virtual machine (anti-VM) checks to avoid analysis in sandbox environments. Additionally, various code injection methods are used to hide malicious activity within legitimate processes, complicating detection efforts. This campaign is notable as the first observed instance of Hijackloader delivering PureHVNC to Spanish-speaking users in Latin America, indicating a shift in regional threat actor tactics and toolsets. The campaign leverages multiple MITRE ATT&CK techniques such as T1053.005 (Scheduled Task/Job), T1218.011 (Signed Binary Proxy Execution), T1204.002 (User Execution: Malicious File), T1140 (Deobfuscate/Decode Files or Information), T1055 (Process Injection), T1497 (Virtualization/Sandbox Evasion), T1059.001 (Command and Scripting Interpreter: PowerShell), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder), T1566 (Phishing), T1027 (Obfuscated Files or Information), T1071.001 (Application Layer Protocol: Web Protocols), and T1574.002 (Hijack Execution Flow: DLL Side-Loading). No known exploits in the wild beyond this campaign have been reported, and no specific affected software versions are identified.

For European organizations, the direct impact of this campaign is currently limited due to its targeting of Colombian users and Spanish-speaking Latin America. However, the techniques and malware used—Hijackloader and PureHVNC RAT—are globally relevant and could be adapted or expanded to target European entities, especially those with business or personnel links to Latin America or Spanish-speaking communities. The PureHVNC RAT enables attackers to gain persistent remote access, potentially leading to data exfiltration, espionage, credential theft, lateral movement, and disruption of operations. The use of sophisticated evasion techniques increases the likelihood of prolonged undetected presence, raising the risk of significant damage. Organizations in Europe with remote workforces, international collaborations, or exposure to phishing risks could face similar threats if attackers pivot their campaigns. The medium severity reflects a moderate but credible risk to confidentiality, integrity, and availability, particularly if the malware is deployed in critical infrastructure or sensitive environments.

European organizations should implement targeted phishing awareness training emphasizing the risks of impersonation attacks and suspicious links, especially those purporting to come from official government entities. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying DLL side-loading, process injection, and anti-VM evasion techniques. Monitor for unusual scheduled tasks, registry run keys, and startup folder modifications indicative of persistence mechanisms. Employ network traffic analysis to detect anomalous outbound connections consistent with RAT command and control communications. Enforce strict application whitelisting and code-signing policies to prevent unauthorized DLL loading. Regularly update and patch systems to reduce the attack surface, even though no specific vulnerable software versions are identified. Conduct threat hunting exercises focusing on MITRE ATT&CK techniques observed in this campaign. Finally, maintain incident response readiness to quickly isolate and remediate infected hosts.