This malware campaign represents an evolution in delivery tactics by embedding the entire malicious payload within oversized SVG files, eliminating the need for external downloads or network connections during execution. The attackers use social engineering, sending phishing emails that appear to come from trusted institutions with urgent legal warnings, primarily targeting users in Colombia. When victims open the SVG file, it displays a fake portal impersonating Colombia's judicial system to increase credibility and prompt interaction. The payload installs AsyncRAT, a remote access trojan that grants attackers persistent control over compromised devices. To evade detection, the campaign employs DLL sideloading, a technique where a malicious DLL is loaded by a legitimate executable, bypassing many security controls. Additionally, AI-generated templates are used to customize phishing content, increasing the likelihood of successful compromise. The campaign's timing and targeting suggest a strategic focus on judicial and legal sectors, with attacks spiking mid-week in August. While currently focused on Latin America, the techniques used could be adapted globally. The lack of external payload retrieval reduces network-based detection opportunities, complicating defense efforts. Indicators include the hash of the malicious SVG file and tactics such as T1055 (Process Injection), T1547.009 (DLL Side-Loading), T1059 (Command and Scripting Interpreter), T1204 (User Execution), T1566 (Phishing), and T1027 (Obfuscated Files or Information).

For European organizations, this threat poses significant risks if adapted to local contexts. The use of embedded payloads within SVG files bypasses traditional network defenses that rely on detecting external downloads. The social engineering aspect, leveraging trusted institution impersonation, can be tailored to European judicial or governmental entities, increasing the likelihood of successful phishing. Compromise by AsyncRAT allows attackers full remote control, risking data exfiltration, espionage, and disruption of critical services. DLL sideloading further complicates detection by loading malicious code through legitimate processes, potentially evading endpoint security solutions. The stealth and persistence of the malware could lead to prolonged undetected intrusions, impacting confidentiality, integrity, and availability of systems. Given the targeting of judicial systems in the original campaign, European judicial and legal institutions are particularly at risk if similar tactics are employed. Additionally, the use of AI-generated templates suggests attackers can rapidly customize campaigns for different regions, increasing the threat's adaptability and reach.

European organizations should implement multi-layered defenses focusing on detection and prevention of malicious SVG files and DLL sideloading techniques. Specifically, email security gateways must be configured to scan and block suspicious SVG attachments, especially those that are unusually large or contain embedded scripts. Endpoint detection and response (EDR) solutions should be tuned to detect DLL sideloading behaviors and monitor for unusual process injections or execution patterns. User awareness training must emphasize caution with unsolicited emails claiming urgent legal or institutional matters, highlighting the risk of SVG attachments. Implement application whitelisting to restrict execution of unauthorized DLLs and scripts. Network segmentation and strict access controls can limit lateral movement if a device is compromised. Regular threat hunting for AsyncRAT indicators and anomalous network connections is advised. Finally, organizations should maintain updated threat intelligence feeds to recognize emerging AI-generated phishing templates and adapt defenses accordingly.