Threat Overview
A new threat report published by AlienVault on October 13, 2025, reveals a sophisticated phishing campaign targeting Colombian users. This campaign employs a judicial notification lure to trick victims into opening an .SVG file attachment that ultimately deploys AsyncRAT, an information-stealing malware.
Attack Pattern
The attack chain involves multiple stages, each designed to evade detection and ensure the successful deployment of the malware. The process begins with an SVG file, which leads to the execution of HTA (HTML Application), VBS (VBScript), and PowerShell scripts. These scripts work in concert to inject the AsyncRAT payload into MSBuild.exe, a legitimate Microsoft build engine.
Actor Group
The specific actor group behind this campaign is not detailed in the report, but the sophistication of the attack suggests a well-resourced and organized threat actor. The use of advanced tactics, techniques, and procedures (TTPs) indicates that the group has significant expertise in cyber operations.
Report Details
The campaign is designed to appear legitimate by leveraging geographical and institutional details specific to Colombia. It impersonates the Attorney General’s Office, making the phishing emails more convincing to targeted users. The attackers employ several evasion techniques, including anti-VM (virtual machine) measures, persistence mechanisms, and obfuscation methods, to avoid detection by security tools.
The AsyncRAT payload is particularly dangerous as it can steal sensitive data, establish command and control (C2) communication with the attacker, and dynamically load additional plugins. This flexibility allows the malware to adapt to different environments and perform a wide range of malicious activities.
MITRE ATT&CK Categories
The attack demonstrates advanced tactics across various MITRE ATT&CK categories, including initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, and exfiltration. This comprehensive approach highlights the sophistication of the threat actor and the need for robust security measures.
Confidence Level and Reliability
The confidence level in the accuracy of this report is 100%, indicating that the findings are based on solid evidence. The reliability of the report is rated as A – Completely reliable, further reinforcing its credibility. The report includes 63 connected elements, providing a detailed analysis of the attack chain and its components.
Recommendations
User Awareness: Educate users about the dangers of phishing emails, especially those that appear to come from official sources. Train them to recognize the signs of a phishing attempt and to verify the authenticity of such communications before taking any action.
Email Filtering: Implement advanced email filtering solutions that can detect and block phishing attempts based on content, attachments, and sender information. Regularly update these filters to keep up with new threats.
Endpoint Protection: Deploy endpoint protection solutions that can detect and block the execution of malicious scripts and files. Ensure that these solutions are regularly updated to protect against the latest threats.
Network Monitoring: Use network monitoring tools to detect unusual activity that may indicate a compromise. This includes monitoring for C2 communication and the presence of unknown or unauthorized software on the network.
Incident Response: Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Ensure that all relevant stakeholders are trained on this plan and know their roles and responsibilities.
External References
For additional information, please refer to the following external references:
