LATAM baited into the delivery of PureHVNC

SUMMARY :

Between August and October 2025, a phishing campaign targeted Colombian users with emails impersonating the Attorney General's office. The emails contained links to download a malicious file, initiating an infection chain using Hijackloader to deliver PureHVNC Remote Access Trojan (RAT). The campaign employed sophisticated techniques including DLL side-loading, anti-VM checks, and various injection methods. This marks the first observed instance of Hijackloader being used to deliver PureHVNC to Spanish-speaking users in Latin America, highlighting an evolving threat landscape in the region.

OPENCTI LABELS :

purehvnc,hijackloader,phishing


AI COMMENTARY :

1. Introduction: Starting in August 2025, security researchers identified a targeted phishing operation aimed at Colombian users, masquerading as official communications from the country’s Attorney Generals office. The attackers deployed convincing email templates that prompted recipients to click on malicious links, initiating a dangerous infection chain. This campaign represents a clear escalation in regional cyber threats and underscores the growing importance of proactive threat intelligence in Latin America.

2. The Phishing Campaign: The attack began with carefully crafted emails that imitated the branding, language, and tone of the Attorney Generals office. Victims were urged to review purported legal documents by clicking on embedded links. When the link was activated, users were redirected to a download page hosting a malicious executable. The trust in government communications led many users to inadvertently launch the payload, setting the stage for subsequent compromise.

3. Infection Chain and Payload Delivery: Once executed, the initial payload invoked a specialty loader known as Hijackloader. This loader performed DLL side-loading to evade detection and lowered the barriers for the next stage of the attack. Hijackloader then fetched and executed PureHVNC, a Remote Access Trojan (RAT) engineered for stealth and persistent access. The chain ensured that each stage appeared legitimate to antivirus solutions and sandbox environments.

4. Sophisticated Evasion Techniques: The threat actors employed a series of advanced anti-detection measures, including environment checks to detect virtual machines, sandbox evasion routines, and multiple code injection methods into running processes. DLL side-loading allowed the malicious components to masquerade as signed system files, while the injection routines ensured that PureHVNC operated under the radar, granting attackers remote control without raising immediate alarms.

5. Regional Significance and First Observations: This campaign marks the first recorded use of Hijackloader to deliver PureHVNC specifically to Spanish-speaking users in Latin America. The choice of Colombian targets and Spanish-language lures demonstrates the adversaries focus on regional tailoring. Analysts view this as an indicator of shifting attacker tactics designed to exploit localized trust relationships and language familiarity throughout LATAM.

6. Threat Implications and Recommendations: Organizations across Latin America must heighten awareness of socially engineered attacks impersonating trusted institutions. Incident response teams should deploy layered defenses, including advanced email filtering, user awareness training focused on spear-phishing techniques, and behavioral monitoring to detect unusual process injections. Regular audits of endpoint security configurations and robust network segmentation will further limit the impact of a potential PureHVNC infection.

7. Conclusion: The August to October 2025 campaign demonstrates how threat actors continue to refine their methods, combining phishing with sophisticated loaders and stealthy RATs like PureHVNC. By understanding the mechanics of this operation and adopting tailored defenses, organizations in the region can better protect themselves against evolving cyber threats. Vigilance, continuous monitoring, and threat intelligence sharing remain crucial to staying one step ahead of these adversaries.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


LATAM baited into the delivery of PureHVNC