Operation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina's Judicial Sector to Deploy a Covert RAT
A sophisticated spear-phishing campaign targeting Argentina's judicial sector has been uncovered. The operation uses a multi-stage infection chain to deploy a stealthy Remote Access Trojan (RAT). Attackers exploit trust in court communications by using authentic-looking judicial decoy documents. The campaign employs a weaponized LNK file, a BAT-based loader script, and a covert Rust-based RAT to establish persistent access within judicial environments. The malware performs extensive anti-VM and anti-debug checks, collects system information, and establishes resilient C2 connections. It supports various malicious activities including persistence, file transfer, data harvesting, encryption, and privilege escalation. The campaign demonstrates high operational sophistication and aims to gain long-term access to sensitive legal and institutional data.
AI Analysis
Technical Summary
Operation Covert Access is a targeted cyber espionage campaign uncovered by AlienVault, focusing on Argentina's judicial sector. Attackers leverage spear-phishing emails containing weaponized LNK files disguised as legitimate judicial documents to exploit user trust. Upon execution, the LNK file triggers a BAT-based loader script that initiates the deployment of a covert Remote Access Trojan (RAT) developed in Rust, chosen for its stealth and performance advantages. The RAT incorporates advanced anti-analysis features, including checks to detect virtual machines and debugging environments, thereby evading sandbox detection and forensic analysis. Once installed, the malware collects detailed system information and establishes resilient command and control (C2) channels to maintain persistent access. The RAT supports a broad range of malicious capabilities such as persistence mechanisms (T1547), credential dumping (T1003), exploitation of account permissions (T1069), file transfers, data harvesting, encryption of files, and privilege escalation. The multi-stage infection chain and use of authentic decoy documents indicate a high level of operational sophistication aimed at long-term infiltration and data exfiltration from sensitive judicial environments. Indicators of compromise include specific IP addresses and file hashes linked to the campaign. Although no known exploits or CVEs are associated, the campaign's stealth and persistence pose significant risks to judicial institutions. The campaign's focus on Argentina's judicial sector suggests geopolitical motivations, but the techniques and malware could be adapted to target similar institutions elsewhere.
Potential Impact
For European organizations, particularly those in the judicial and legal sectors, the threat posed by Operation Covert Access is significant. The campaign’s use of spear-phishing with weaponized LNK files exploits human trust in official communications, a common vector in many European institutions. If adapted or replicated in Europe, such attacks could lead to unauthorized access to sensitive legal data, undermining confidentiality and integrity of judicial processes. The malware’s capabilities for privilege escalation and data harvesting could facilitate espionage, manipulation of legal records, or disruption of judicial operations. Persistent access established by the RAT increases the risk of long-term compromise, making detection and remediation challenging. Additionally, the use of anti-VM and anti-debug techniques complicates forensic investigations and incident response. The potential impact includes reputational damage, legal consequences, and erosion of public trust in judicial institutions. Given the strategic importance of judicial systems in Europe, such threats could also have broader implications for national security and governance.
Mitigation Recommendations
European judicial and legal organizations should implement targeted defenses against spear-phishing and weaponized LNK attacks. Specific recommendations include: 1) Deploy advanced email filtering solutions capable of detecting and quarantining LNK files and suspicious attachments, especially those mimicking official documents. 2) Enforce strict execution policies to block or restrict the execution of LNK and BAT files from email or untrusted sources. 3) Conduct regular user awareness training focused on recognizing spear-phishing tactics and verifying the authenticity of judicial communications. 4) Implement endpoint detection and response (EDR) tools with behavioral analytics to identify anti-VM and anti-debug evasion attempts and anomalous persistence mechanisms. 5) Harden systems by applying least privilege principles to limit the impact of privilege escalation attempts. 6) Monitor network traffic for unusual outbound connections, particularly to known malicious IPs or C2 servers like the identified 181.231.253.69:4444. 7) Maintain up-to-date threat intelligence feeds to quickly identify and respond to emerging indicators of compromise. 8) Conduct regular security audits and penetration testing focused on social engineering and malware delivery vectors. 9) Establish incident response plans tailored to judicial environments to enable rapid containment and remediation. 10) Consider application whitelisting to prevent unauthorized execution of scripts and binaries.
Affected Countries
Argentina, Spain, Italy, Germany, France, United Kingdom
Indicators of Compromise
- ip: 181.231.253.69
- hash: 02f85c386f67fac09629ebe5684f7fa0
- hash: 233a9dbcfe4ae348c0c7f4c2defd1ea5
- hash: 45f2a677b3bf994a8f771e611bb29f4f
- hash: 976b6fce10456f0be6409ff724d7933b
- hash: dc802b8c117a48520a01c98c6c9587b5
- hash: 347f09e2589435af084b5f19fc12e8fbdee16e1b
- hash: 427110f6a3741e57b93fa5ca7c6b7dc69b2b23d5
- hash: 5d29707d63db3f6475351ecb91ec2fda661fc984
- hash: c5981c6f73ecf7b9606c78e0526bd933585ec09f
- hash: 10bbc5e192c3d01100031634d4e93f0be4becbe0a63f3318dd353e0f318e43de
- hash: 13adde53bd767d17108786bcc1bc0707c2411a40f11d67dfa9ba1a2c62cc5cf3
- hash: 37e6da4c813557f09fa2336b43c9fbb4633e562952f5113f6a6a8f3c226854eb
- hash: 6ae4222728240a566a1ca8c8873eab3b0659a28437877e4450808264848ab01e
- url: http://181.231.253.69:4444
Operation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina's Judicial Sector to Deploy a Covert RAT
Description
A sophisticated spear-phishing campaign targeting Argentina's judicial sector has been uncovered. The operation uses a multi-stage infection chain to deploy a stealthy Remote Access Trojan (RAT). Attackers exploit trust in court communications by using authentic-looking judicial decoy documents. The campaign employs a weaponized LNK file, a BAT-based loader script, and a covert Rust-based RAT to establish persistent access within judicial environments. The malware performs extensive anti-VM and anti-debug checks, collects system information, and establishes resilient C2 connections. It supports various malicious activities including persistence, file transfer, data harvesting, encryption, and privilege escalation. The campaign demonstrates high operational sophistication and aims to gain long-term access to sensitive legal and institutional data.
AI-Powered Analysis
Technical Analysis
Operation Covert Access is a targeted cyber espionage campaign uncovered by AlienVault, focusing on Argentina's judicial sector. Attackers leverage spear-phishing emails containing weaponized LNK files disguised as legitimate judicial documents to exploit user trust. Upon execution, the LNK file triggers a BAT-based loader script that initiates the deployment of a covert Remote Access Trojan (RAT) developed in Rust, chosen for its stealth and performance advantages. The RAT incorporates advanced anti-analysis features, including checks to detect virtual machines and debugging environments, thereby evading sandbox detection and forensic analysis. Once installed, the malware collects detailed system information and establishes resilient command and control (C2) channels to maintain persistent access. The RAT supports a broad range of malicious capabilities such as persistence mechanisms (T1547), credential dumping (T1003), exploitation of account permissions (T1069), file transfers, data harvesting, encryption of files, and privilege escalation. The multi-stage infection chain and use of authentic decoy documents indicate a high level of operational sophistication aimed at long-term infiltration and data exfiltration from sensitive judicial environments. Indicators of compromise include specific IP addresses and file hashes linked to the campaign. Although no known exploits or CVEs are associated, the campaign's stealth and persistence pose significant risks to judicial institutions. The campaign's focus on Argentina's judicial sector suggests geopolitical motivations, but the techniques and malware could be adapted to target similar institutions elsewhere.
Potential Impact
For European organizations, particularly those in the judicial and legal sectors, the threat posed by Operation Covert Access is significant. The campaign’s use of spear-phishing with weaponized LNK files exploits human trust in official communications, a common vector in many European institutions. If adapted or replicated in Europe, such attacks could lead to unauthorized access to sensitive legal data, undermining confidentiality and integrity of judicial processes. The malware’s capabilities for privilege escalation and data harvesting could facilitate espionage, manipulation of legal records, or disruption of judicial operations. Persistent access established by the RAT increases the risk of long-term compromise, making detection and remediation challenging. Additionally, the use of anti-VM and anti-debug techniques complicates forensic investigations and incident response. The potential impact includes reputational damage, legal consequences, and erosion of public trust in judicial institutions. Given the strategic importance of judicial systems in Europe, such threats could also have broader implications for national security and governance.
Mitigation Recommendations
European judicial and legal organizations should implement targeted defenses against spear-phishing and weaponized LNK attacks. Specific recommendations include: 1) Deploy advanced email filtering solutions capable of detecting and quarantining LNK files and suspicious attachments, especially those mimicking official documents. 2) Enforce strict execution policies to block or restrict the execution of LNK and BAT files from email or untrusted sources. 3) Conduct regular user awareness training focused on recognizing spear-phishing tactics and verifying the authenticity of judicial communications. 4) Implement endpoint detection and response (EDR) tools with behavioral analytics to identify anti-VM and anti-debug evasion attempts and anomalous persistence mechanisms. 5) Harden systems by applying least privilege principles to limit the impact of privilege escalation attempts. 6) Monitor network traffic for unusual outbound connections, particularly to known malicious IPs or C2 servers like the identified 181.231.253.69:4444. 7) Maintain up-to-date threat intelligence feeds to quickly identify and respond to emerging indicators of compromise. 8) Conduct regular security audits and penetration testing focused on social engineering and malware delivery vectors. 9) Establish incident response plans tailored to judicial environments to enable rapid containment and remediation. 10) Consider application whitelisting to prevent unauthorized execution of scripts and binaries.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/operation-covert-access-weaponized-lnk-based-spear-phishing-targeting-argentinas-judicial-sector-to-deploy-a-covert-rat/"]
- Adversary
- null
- Pulse Id
- 696f41524ac07b77da95e91c
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip181.231.253.69 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash02f85c386f67fac09629ebe5684f7fa0 | — | |
hash233a9dbcfe4ae348c0c7f4c2defd1ea5 | — | |
hash45f2a677b3bf994a8f771e611bb29f4f | — | |
hash976b6fce10456f0be6409ff724d7933b | — | |
hashdc802b8c117a48520a01c98c6c9587b5 | — | |
hash347f09e2589435af084b5f19fc12e8fbdee16e1b | — | |
hash427110f6a3741e57b93fa5ca7c6b7dc69b2b23d5 | — | |
hash5d29707d63db3f6475351ecb91ec2fda661fc984 | — | |
hashc5981c6f73ecf7b9606c78e0526bd933585ec09f | — | |
hash10bbc5e192c3d01100031634d4e93f0be4becbe0a63f3318dd353e0f318e43de | — | |
hash13adde53bd767d17108786bcc1bc0707c2411a40f11d67dfa9ba1a2c62cc5cf3 | — | |
hash37e6da4c813557f09fa2336b43c9fbb4633e562952f5113f6a6a8f3c226854eb | — | |
hash6ae4222728240a566a1ca8c8873eab3b0659a28437877e4450808264848ab01e | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://181.231.253.69:4444 | — |
Threat ID: 696f41ef4623b1157c23df6e
Added to database: 1/20/2026, 8:50:55 AM
Last enriched: 1/20/2026, 9:05:36 AM
Last updated: 2/5/2026, 8:57:44 PM
Views: 125
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
MediumSystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown
MediumThey Got In Through SonicWall. Then They Tried to Kill Every Security Tool
MediumHundreds of Malicious Crypto Trading Add-Ons Found in Moltbot/OpenClaw
MediumDEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.