By rssfeeds-admin 
The campaign, named Operation Covert Access, demonstrates advanced operational sophistication by leveraging authentic-looking Argentine federal court rulings as social engineering decoys.
The attackers exploit the inherent trust placed in judicial communications to gain initial access and establish persistent remote control within high-value institutional environments.
Attack Chain and Initial Compromise
The campaign begins with targeted spear-phishing emails containing malicious ZIP archives. Each archive includes three critical components: a weaponized Windows shortcut file (.LNK) masquerading as a PDF, a batch-based loader script, and a legitimate-appearing judicial document.
When recipients interact with the shortcut file, the execution chain activates silently while displaying the decoy document to avoid suspicion.
The LNK file employs PowerShell execution with policy bypass and hidden window mode to launch the second-stage batch script. This technique evades detection by operating without visible system prompts or windows.
The batch script then establishes a connection to a GitHub-hosted repository, retrieves the final payload of the Remote Access Trojan, and executes it under a disguised filename that mimics legitimate Microsoft Edge processes.
The effectiveness of this campaign rests heavily on social engineering. The decoy PDF presents itself as an official resolution from Argentina’s Poder Judicial de la Nación (National Judicial Power), explicitly referencing the Tribunal Oral en lo Criminal y Correccional N° 2 de la Capital Federal.
The document discusses judicial review of preventive detention and conditional release decisions, employing formal legal Spanish, authentic case numbering, judicial signatures, and proper procedural language from the Argentine Criminal Procedure Code.
This level of authenticity significantly increases the likelihood that judicial professionals, legal practitioners, and government employees will trust the document and open it.
The attackers deliberately selected sector-specific content that aligns with routine legal workflows, rather than employing opportunistic phishing tactics.
This targeting precision indicates extensive reconnaissance and a calculated long-term strategy to penetrate the Argentine judicial system.
The deployed RAT exhibits extensive anti-analysis capabilities, including virtual machine detection, sandbox evasion, and debugger identification.
Upon execution, the malware performs 128 separate environment checks, scanning for virtualization indicators, analysis tools, and forensic software. If any suspicious artifacts are detected, the malware terminates immediately to avoid capture.
The RAT establishes command-and-control communication with fallback mechanisms that support both IPv4 and IPv6. The primary C2 server is hardcoded at 181.231.253.69:4444, ensuring persistent connectivity even if network configuration parsing fails.
Commands arrive Base64-encoded, enabling dynamic execution of specialized modules including file theft, data encryption, privilege escalation, and persistence installation.
The malware advertises a modular command set supporting PERSIST (installation), PERSIST_REMOVE (cleanup), BEACON (heartbeat), DOWNLOAD (exfiltration), UPLOAD (payload delivery), HARVEST (credential stealing), ENCRYPT/DECRYPT (ransomware), and ELEVATE (privilege escalation).
This architecture enables operators to maintain flexible post-exploitation capabilities while maintaining a clean exit strategy through removal functionality.
Operation Covert Access underscores a substantial security risk to high-value institutional environments.
The campaign’s focus on judicial-sector targeting in Argentina suggests either nation-state involvement or organized cybercriminal activity with a specific geopolitical interest
Organizations in similar sectors should implement enhanced email filtering, restrict the execution of LNK files, and deploy behavioral detection systems to identify multi-stage execution chains.
Indicators of Compromise (IOCs)
| Indicator Type | Value | File Component |
|---|---|---|
| MD5 Hash | dc802b8c117a48520a01c98c6c9587b5 | info/juicio-grunt-posting.pdf.lnk |
| MD5 Hash | 45f2a677b3bf994a8f771e611bb29f4f | ZIP Archive (13adde53bd767d17108786bcc1bc0707c2411a40f11d67dfa9ba1a2c62cc5cf3.zip) |
| MD5 Hash | 02f85c386f67fac09629ebe5684f7fa0 | info/health-check.bat |
| MD5 Hash | 976b6fce10456f0be6409ff724d7933b | msedge_proxy.exe (RAT) |
| MD5 Hash | 233a9dbcfe4ae348c0c7f4c2defd1ea5 | info/notas.pdf (Decoy) |
| IP Address | 181.231.253.69:4444 | C2 Server |
| Detection Name | Trojan.50322.SL | Seqrite Antivirus |
| Detection Name | Trojan.50321.SL | Seqrite Antivirus |
| Detection Name | CovertRATCiR | Seqrite Antivirus |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post New Spear-Phishing Campaign Abuses Argentine Federal Court Rulings to Deliver Covert RAT appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.