Shadow Vector targets Colombian users via privilege escalation and court-themed SVG decoys

Authors: Santiago Pontiroli, Jozsef Gegeny, Ilia Dafchev

Summary

Acronis Threat Research Unit (TRU) identified an active malware campaign targeting users in Colombia using malicious scalable vector graphics (SVG) files as the initial infection vector.

Attackers distributed spear-phishing emails impersonating trusted institutions in Colombia, delivering SVG decoys with embedded links to JS / VBS stagers hosted on public platforms, or password-protected ZIP files containing the payloads directly.

The payloads included remote access tools (RATs) such as AsyncRAT and RemcosRAT, both delivered through DLL side loading and driver-based privilege escalation techniques.

Recent campaigns rely on multistage obfuscated payloads and include a .NET loader exhibiting behavior consistent with Katz Loader. It features UAC bypass, anti-analysis, process injection and persistence, with payloads sometimes hidden as Base64 within text or image files retrieved from the Internet Archive.

Shadow Vector blends traditional social engineering, public infrastructure abuse and stealthy execution techniques, reflecting a high level of operational flexibility and an evolving technical maturity of regional threat actors in Latin America.

The current threat focus of the malware targets both individuals and organizations, enabling keylogging, credential theft (including banking credentials), and full remote access to compromised systems. While its current use centers on stealing sensitive and confidential data, its capabilities suggest potential for expansion into more destructive actions such as ransomware deployment.

Introduction

The Acronis Threat Research Unit (TRU) identified an ongoing malware campaign named Shadow Vector, actively targeting users in Colombia through malicious SVG files masquerading as urgent court notifications. These deceptive emails employ SVG smuggling, a newly added subtechnique in the MITRE ATT&CK framework.

SVG smuggling involves abusing scalable vector graphics files to hide or deliver malicious content. While not a new tactic, its formal recognition highlights the growing use of trusted yet flexible file formats in modern phishing and malware delivery. SVG files render cleanly in browsers, support embedded links or scripts and often bypass traditional email security controls.

Once opened, these SVG files direct users to download and extract payloads hosted on public file-sharing services such as Bitbucket, Dropbox, Discord and YDRAY. The downloaded archives typically include a mix of legitimate executables and malicious DLLs, initiating a multistage infection chain that ultimately delivers AsyncRAT and RemcosRAT, two remote access tools widely used for data theft.

Delivery – malware served

Shadow Vector’s delivery mechanism reflects a carefully structured phishing operation that capitalizes on social engineering and public trust in national institutions. Emails observed in this campaign are designed to appear as legitimate legal notifications and contain SVG attachments that render in-browser, a tactic that helps evade attachment filtering and encourages user interaction without raising suspicion.

The contents of the SVG files are visually consistent, often mimicking official court formats with minimal variation. Each file includes a case summary followed by an embedded link, typically labeled as access to additional legal documentation. These links redirect users to archives hosted on public file-sharing platforms such as Bitbucket, Discord CDN and YDRAY — a method that allows payloads to blend into legitimate traffic and bypass basic reputation-based detection systems.

Each archive is protected by a password, which is often displayed within the SVG file or provided in the body of the phishing email. This tactic increases user involvement and reduces automation-based inspection by requiring manual extraction. Once unpacked, the archive contains a legitimate executable, a benign but vulnerable DLL and a single malicious DLL designed to be side loaded, allowing the malware to run within a trusted process and evade detection.

Notably, the Superior Council of Judicature (Spanish: Consejo Superior de la Judicatura) issued a public advisory warning judicial employees and citizens of ongoing phishing activity abusing the Judicial Branch's branding. The advisory specifically referenced emails distributing malicious attachments under the pretense of court-related matters and urged heightened vigilance when handling messages that prompt document downloads. It also outlined procedures for verifying the legitimacy of such communications and encouraged reporting suspected phishing to official institutional channels.

Case file: AsyncRAT via DLL side loading

In this version of the Shadow Vector campaign, the victim gets a phishing email with an SVG file. From there, they download a password-protected archive and extract its contents. Inside, there is a legitimate-looking executable and several DLL files, one of which carries the AsyncRAT payload. The main executable often uses names like vcredist.exe to appear harmless. A common sign in these samples is the presence of a mscorlib.dll file that always has the same size and structure. Despite the name, this file is not a real .NET library but a custom-built file used to hide the malware. The attack uses DLL side loading, where the clean-looking executable loads the malicious DLL and starts the AsyncRAT infection process.

Side-loaded execution chain

The initial executable is a legitimate application that invokes the BrotliEncoderCreateInstance() function from the ‘libbrotlicommon.dll’ library. Due to Windows’ DLL search order, the system loads a malicious version of this DLL placed in the same directory. This DLL side-loading technique enables the execution of attacker-controlled code within a trusted process and is consistently observed across all analyzed samples in the campaign.

Inside the loaded DLL, the first action is to create a handle to the mscorlib.dll file located in the same directory and read its contents. Although the file contains a valid PE header, multiple detection tools misidentify it as a nonexecutable binary. A manual HEX inspection revealed an additional 9 bytes inserted at the beginning of the file, intentionally offsetting the PE header. This manipulation disrupts automated parsing and causes errors in PE detection and decompilation tools, effectively acting as a lightweight anti-analysis mechanism.

The payload then creates a legitimate process, AddInProcess32.exe, in a suspended state and performs process hollowing to inject and execute the malicious module. This technique involves allocating memory in the target process and writing the payload using a series of Windows API calls, including: NtAllocateVirtualMemory, GetProcessHeap, RtlAllocateHeap, Wow64GetThreadContext, NtWriteVirtualMemory, Wow64SetThreadContext and NtResumeThread. This allows the malware to run under the context of a trusted system binary, evading detection.

Just before the ‘NtWriteVirtualMemory’ call, we can observe the loaded DLL in the memory without the first 9 bytes, like it was in the original file. Then it creates a new thread, sets its context and resumes it. After that, the current program terminates.

After injecting into the running process, the actual .NET payload becomes visible and is recognized as an AsyncRAT client, derived from an open-source C# implementation.

Configuration

At the start of execution, the malware loads its configuration by decrypting multiple AES-encrypted values, including C2 servers, installation flags and other runtime settings. The AES key is embedded in the sample, Base64 encoded. The configuration can be decrypted using public tools like CyberChef with a known AsyncRAT recipe.

Once all settings are decrypted, the malware checks their integrity by comparing the hash of the decoded server certificate with the expected value. Below is an example of a decrypted configuration obtained during analysis:

Setting

Value

Key

"zZ5OP9zoIeGTxRmoYxR6XEu0yUxV6wAE"

Ports

7788

Hosts

"asynk02[.]duckdns[.]org"

Version

"| CRACKED BY https://t[.]me/xworm_v2"

Install

false

Mutex

"AsyncMutex_6SI8OkPnk"

PasteBin

null

Anti

false

Offline KL

false

BDOS

false

Group

Default

Server signature

"ZVd/qp267KSFBMNW9/3VMfHsPytmlgBk9j3jgX17laucHFuCOxWJNB7zndRiJq/jQ6ckzvTkcdMQ3RjDpiY0nNXztOIK52VHO6x9wwi1fPm6WlpIptehdvbnYiychf8iGsWVn5QVy0BqtEv5qimKTJz4nCu1SqPWwqipatSoYR9423v6FIR+IqrQZconVd1UWyF45gjVoB75HbkPWQBmLpbwCqyqYNxfCiwi8ofIQyXiJ6tKaHtlUwbhxn88yAxq+/b2JxrLuiUP8JNIIo65N93UUfZSnBYIyDeXsjYZ3AJtoASFYbbfJApen1mh9bilvLv5ItRjY1abfPOu2/EmpVPuPYmmBsSRH57N9hkt2f3u0QB4IPeY3OXWVTGTcai4r39Bo9a0tT0KaFqgflI//ItgVgwb/YePuEj8FJd7u9pmMJHCR/MOD8rIqxMmhJGAR9AATMGs9awkY6efw+WOt7vJFIOwP/1HIdmQFXEXeY9MH6yaeqgkRrEVK37Xjnv0glvLAMEumoZsHOta3ogupFp9dOAVTorXkm/rPYT8TbLsI1Hq6N8xxaSEdyacNsWl+urAwLCUejjNRPVaO4UGLKPmWgqFA/Qc9k1iTQLjpXwgZiLgLkpPncJCf45MuDlVWzy1J+ax6w0LmU6NmYmctWhonulIFIEiZL98bu5CH0I="

To check if the malicious payload is running in an analysis environment it executes multiple functions:

Function

Action

Check manufacturer

Get manufacturer name and compare it with: “VIRTUAL”, “vmware”, “VirtualBox”

Detect debugger

Execute “CheckRemoteDebuggerPresent”

Detect sandbox

Try to obtain handle to “SbieDll.dll” library

Check disk size

Check if disk size is smaller than 61000000000 bytes

Is XP

Check if current system is Windows XP

If any of these functions return true, it calls Environment.FailFast(), which terminates the process.

Installation and persistence

When the ‘Install’ setting is true, it will enter a function that will establish persistence. First, it copies itself to the new path using the folder value from the config, if present, and then executes the ‘schtasks’ command to set AutoStart on login.

Then it sets an AutoStart registry key. The path to the key is stored in reverse format. For example, using ‘\nuR\noisreVtenrretnuC\swodniW\tfosorciM\erawtfoS’ instead of ‘Software\Microsoft\Windows\CurrentVersion\Run’, a common (and simple) technique used by malware to hide this behavior.

Finally, it executes a batch script that starts the payload from the new location and deletes the old version.

Every keystroke you make, every move you take — they’ll be watching you

After completing the initial setup, the payload launches two threads. The first continuously monitors and stores the user's last input timestamp. The second functions as a keylogger, setting a window hook to track the active process on the screen and logging every keystroke entered by the user.

For server communication, the payload supports multiple connection methods depending on the Pastebin setting. If this setting is set to null, it falls back to a domain specified in the sample's embedded configuration. It first checks whether the domain name is valid using ClientSocket.IsValidDomainName(). If valid, it attempts to resolve the domain using Dns.GetHostAddresses() and iterates over each returned IP address, trying to establish a connection via ClientSocket.TcpClient.Connect(). If a connection is successful (ClientSocket.TcpClient.Connected), the loop breaks. If the domain is not valid or resolution fails, it attempts to connect directly using the original string and a predefined port. This logic provides redundancy to ensure the malware reaches its command-and-control infrastructure.

Once the connection is established, the malware transmits victim details, including system information and metadata about the executed sample.

Additionally, the malware checks for the presence of cryptocurrency wallets and specific browser extensions by inspecting designated folders. If any are found, it sets the corresponding value to ‘true’. The following is the list of identifiers it uses:

Meta_Firefox, Meta_Chrome, Meta_Brave, Meta_Edge, Meta_Opera, Meta_OperaGX, Phantom_Chrome, Phantom_Brave, Binance_Chrome, Binance_Edge, TronLinkChrome, Exodus_Chrome, BitKeep_Chrome, CoinBase_Chrome, Ronin_Chrome, Trust_Chrome, BitPay_Chrome, F2a_Chrome, F2a_Brave, F2a_Edge, Ergo_Wallet, Ledger_Live, Atomic, Exodus, Electum, Coinomi, Binance, Bitcoin_Core

The client receives data from the server in an encoded format. It first decompresses the content using the Zip.Decompress() function, then decodes the message. After reading a byte from the message, it compares it against predefined values. Based on the result, it performs various operations, such as byte swapping and converting the data into specific data types.

When a command is received from the server, the payload extracts it from the packet, computes its hash and compares it against stored values. Each command is also directly compared to the predefined set of valid commands:

getscreen, uacoff, killps, ResetHosts, weburl, Chrome, plugin, ResetScale, passload, Wallets, savePlugin, Fox, pong, DiscordTokens, setxt, WDExclusion, KillProxy, Net35, klget, Avast, Block, WebBrowserPass, gettxt, anydesk, backproxy

Once the appropriate command is identified, the payload calls the Plugins() function, which triggers a specific procedure based on the provided parameter.

These plugins represent the functional components of each command. By default, not all plugins are included in the initial payload. Instead, they can be downloaded from the server when the ‘plugin’ or ‘savePlugin’ commands are received. The following is a list of commands and corresponding actions included in the payload:

Command

Action

killps

Kill process

ResetHosts

Clear “\\hosts.backup” file

weburl

Open provided URL using “Process.Start”

plugin

Download and invoke payload plugin

ResetScale

Use SPI SETLOGICALDPIOVERRIDE to change scaling

pong

Change interval between client-server communications

klget

Get keylogger log file

Block

Modify ‘\\hosts’ file to block a particular IP address

gettxt

Get clipboard data

Signed and delivered: Abusing vulnerable drivers and DLL side loading

Inside the ZIP archive this time we find a decoy executable and two DLLs, one legitimate and one weaponized. The executable side loads the legitimate ‘CiscoSparkLauncher.dll’, which in turn triggers the malicious DLL to decode and deploy three files to the ‘%Temp%’ directory: two vulnerable drivers used for kernel-level privilege escalation, and the final RemcosRAT payload.

The initial executable calls a function from ‘CiscoSparkLauncher.dll’, a legitimate file that, in turn, invokes GetFileVersionInfoSizeW() from ‘VERSION.dll’. In this case, ‘VERSION.dll’ is a malicious DLL, indicating classic DLL side loading. The malicious DLL employs control flow obfuscation across its functions, using loops and conditional checks to slow down analysis.

It allocates a new memory block with 5982208 bytes in size and copies data from the ‘.rdata’ section. In fact, this section size is 5989888 bytes, and when copying, it skips the first 7680 bytes. As a result, only encoded data will be copied from this section. Then it starts resolving several Windows API addresses from ‘kernel32.dll’, ‘ADVAPI32.dll’ and ‘ole32.dll’ libraries.

The data that was copied from the ‘.rdata’ section is then passed to the decoding function. Here, it first constructs a key from two 16-byte values and decodes the section using the ‘XOR’ operation.

During execution, it will decode additional data in the same way, but using a different key:

The decoded data includes additional code that is executed after decryption. This code first performs virtual machine checks by inspecting the system name for indicators like ‘vmware’ or ‘virtualbox’, evaluating available memory, CPU count and screen resolution. If any of these conditions suggest a virtualized environment, the program terminates execution.

It will copy itself alongside ‘CiscoSparkLauncher.dll’ and ‘VERSION.dll’ files to the ‘%Temp’ folder and execute the next command to establish persistence:

C:\Windows\system32\cmd.exe /c schtasks /create /tn "Yt4Bvc2G" /tr "C:\Users\DEV\AppData\Roaming\DEMANDA LABORAL JUDICIAL 2313154.exe" /sc onlogon /rl highest /f

To bypass anti-malware software, it checks for folder paths' presence and then uses ‘CreateToolHelp32Snapshoot’, ‘Process32First’ and ‘Process32Next’ functions to list all running processes and terminate ones that match the saved list of process names:

AnhRpt, Ahnsd, v3sp, mupdate2, autop, ArtHost, ASDSvc, v3lite4, v314sp, V3Light, V3Medic, V3SVC, AhnLabPolicyAgent, eausvc, AYUpdate.aye, ALYac.aye, AYAgent.aye, AYUpdSrv.aye, AYWSSrv.aye, AYTRSrv.aye, ALMountService, eOppFrame, egui, eguiProxy, efwd, ekrn, mc-fwhost, mc-web-view, mcupdate, mfwc, updaterui, mfeann, mcuicnt, mfevtps, mfetp, mfemms, McShield, AvEmUpdate, icarus_ui, overseer, AVGUI, aswidsagent, afwServ, avgToolsSvc, aswEngSrv, AVGSvc, wsc_proxy, overseer, wa_3d_party_host_64, su_worker, wa_3d_party_host_32, AvastBrowserUpdate, AvBugReport, AvastBrowserProtect, icarus_ui, icarus, AvastUI, aswidagent, afwServ, aswToolSvc, aswEngSrv, AvastSvc, wsc_proxy, MpCmdRun, NisSrv, MsMpEng, smartscreen, MpDefenderCoreService, HipsMain, wsctrlsvc, HipsTray, TrafficPort, HipsDaemon, 360UHelper, 360speedld, safesvr, SoftMgr, LiveUpdate360, inst, 360Safe, 360leakFixer, 360Tray, ZhuDongFangYu, PopTip, 360TsLiveUpd, certuril, PromoUtil, PopWndLog, QHSafeTray, QHWatchdog, QHActiveDefense, QHSafeMain, HipsMain, wsctrlsvc, HipsTray, TrafficPort, HipsDaemon

Then it reads additional data from '.rdata' section, decodes it, and writes three files to the ‘%Temp’ folder:

File name

Description

VFZE6ksYnpPfSnEWUNg.sys

WiseCleaner vulnerable driver

cuDX73ob9SxeAS0IdV.sys

Zemana vulnerable driver

svchost.exe

RemcosRAT

Both vulnerable drivers are launched as kernel-mode services. The sample then uses the DeviceIoControl() function with the control code 0x80002010 to register the dropped svchost.exe process as authenticated and finally terminates itself.

The analyzed payload stores its configuration as an encrypted resource. The first byte indicates the key size, followed by the RC4 encryption key. The remaining data contains the encrypted configuration.

The decrypted configuration reveals several operational parameters used by the malware, including the command-and-control (C2) server address and port, botnet name, maximum size for keylogger log files, binary name and mutex name. It also specifies the screenshot capture interval in seconds, designated folder names for storing screenshots and audio recordings, and a license number, likely used to track deployments or affiliate usage.

Obfuscation sustained

A new chapter of the Shadow Vector campaign is unfolding at the time of this writing, expanding on its previously documented SVG smuggling techniques. In this iteration, the threat actor adopts a modular approach, deploying a loader associated with Katz Stealer. The infection chain still begins with carefully crafted SVG lures, but now includes JavaScript and PowerShell stagers, a UAC bypass via cmstp.exe and a dynamic .NET loader DLL equipped with anti-analysis features, process injection and optional persistence mechanisms.

The threat actor behind the latest Shadow Vector activity is using several Bitbucket repositories to host malicious JavaScript and VBS stagers. One such repository, ‘notificaciones-judiciales2025-2005’, recorded over 170 combined downloads of its staged payloads within just a few hours of upload on May 28, 2025. This volume of activity suggests that a coordinated phishing campaign was likely underway during that period. Among the uploader aliases observed, ‘TheMrHacker’ stands out against the otherwise consistent use of the generic label ‘Envio’ (Spanish for “shipping”), potentially offering a clue into the operator’s identity.

The infection chain begins with a JavaScript file masquerading as a legal notice, in this case named ‘001-Notificacion_electronica_demanda_judicial_Departamento_Juridico.js’, which acts as the initial dropper. Upon execution, it retrieves a second-stage script from Paste.ee.

This follow-up obfuscated script launches a PowerShell command configured to run silently (-nop -w hidden) using Invoke-Expression, which is then able to fetch additional encoded content from two Paste.ee endpoints (both with the same SHA256 hash).

In the final stage, the script downloads a Base64-encoded DLL from the Internet Archive, typically disguised within a text file hosted at archive[.]org/replace_202505/REPLACE[.]txt. In some cases, it instead retrieves an image file containing an embedded Base64 payload hidden within the image content. The script extracts and decodes the payload, then loads the DLL directly into memory using PowerShell’s [Reflection.Assembly]::Load() method.

The multistage infection chain delivers a .NET DLL that dynamically loads and executes the dnlib.IO.Home.VAI() method, a behavior consistent with known Katz Loader samples. Although the loader matches several YARA signatures linked to Katz Stealer, it does not deploy the stealer in this case. Instead, it retrieves the final payload at runtime and executes it entirely in memory, leaving no artifacts on disk. The loader implements advanced features such as anti-debugging and anti-tampering checks, an optional UAC bypass using cmstp.exe and string decryption from an encrypted resource blob. It uses process hollowing to inject code into legitimate binaries and maintains persistence through scheduled tasks and registry modifications. It also allows runtime configuration of anti-VM checks.

Several strings embedded within the loader’s code are written in Portuguese, including messages such as “Baixar e executar o PuTTY a cada 1 minuto indefinidamente” (“Download and execute PuTTY every 1 minute indefinitely”), “Extensão não suportada” (“Unsupported extension”), “Recurso 'UAC.dll' não encontrado!” (“Resource 'UAC.dll' not found!”), and “Erro ao executar a DLL em memória” (“Error executing the DLL in memory”). These messages, combined with the parameter names used in the VAI method (e.g., ‘caminhovbs’, ‘persitencia’, ‘extenção’, ‘nomedoarquivo’), suggest that the loader shares design elements or code reuse with tooling developed by Portuguese-speaking threat actors, most notably those involved in financially motivated malware campaigns targeting Brazil.

Closing arguments

A natural evolution from its earlier SVG smuggling techniques, this threat actor has adopted a modular, memory-resident loader that can execute payloads dynamically and entirely in memory, leaving minimal traces behind. This loader is delivered through a multistage infection chain that relies on public hosting platforms, an approach that complicates attribution and takedown efforts.

The presence of Portuguese-language strings and method parameters within the loader mirrors TTPs commonly observed in Brazilian banking malware, suggesting potential code reuse, shared development resources or even cross-regional actor collaboration.

The campaign’s continued focus on Latin American targets, use of institutional impersonation, and rapid, scalable deployment highlights a persistent and evolving threat.

Detected and blocked by Acronis Cyber Protect Cloud

Indicators of Compromise

YARA

rule crimeware_shadow_vector_svg

{

meta:

description = "Detects malicious SVG files associated with Shadow

Vector's Colombian campaign"

author = "Acronis TRU"

date = "2025-06-06"

file_type = "SVG"

malware_family = "Shadow Vector"

threat_category = "Crimeware / Malicious Image / Embedded Payload"

tlp = "TLP:CLEAR"

strings:

$svg_tag1 = "<?xml" ascii

$svg_tag2 = "<svg" ascii

$svg_tag3 = "<!DOCTYPE svg" ascii

$svg_tag4 = "http://www.w3.org/2000/svg" ascii

//used by Shadow Vector (possibly generated in batch)

$judicial = "juzgado" ascii nocase

$judicial_1 = "citacion" ascii nocase

$judicial_2 = "judicial" ascii nocase

$judicial_3 = "despacho" ascii nocase

$generado = "Generado" ascii nocase

condition:

filesize < 3MB and

3 of ($svg_tag*) and

(1 of ($judicial*) and $generado)

}

References

MuchoHacker. “Correos de hospital y Rama Judicial en Colombia son usados para enviar correos falsos con archivos SVG que podrían contener malware”. October 31, 2024.

https://muchohacker.lol/2024/10/correos-de-hospital-y-rama-judicial-en-colombia-son-usados-para-enviar-correos-falsos-con-archivos-svg-que-podrian-contener-malware

SciLabs. “Red Akodon: A new threat actor distributing RAT to Colombia.” May 27, 2024.

https://blog.scilabs.mx/en/2024/05/27/red-akodon-a-new-threat-actor-distributing-rat-to-colombia

Environments

Physical

Endpoints

Cloud

Virtual

Applications

Mobile

Compare Acronis

Shadow Vector targets Colombian users via privilege escalation and court-themed SVG decoys

Summary

Introduction

Delivery – malware served

Case file: AsyncRAT via DLL side loading

Side-loaded execution chain

Configuration

Installation and persistence

Every keystroke you make, every move you take — they’ll be watching you

Signed and delivered: Abusing vulnerable drivers and DLL side loading

Obfuscation sustained

Closing arguments

Detected and blocked by Acronis Cyber Protect Cloud

Indicators of Compromise

SVG

Packages

Payloads

YARA

References

More cyber threats insights