Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
Home/Threats/New Spear Phishing Attack Leveraging Argentine Federal Court Rulings to Covert RAT for Remote Access
Threats

New Spear Phishing Attack Leveraging Argentine Federal Court Rulings to Covert RAT for Remote Access

Argentina’s judicial sector is currently under attack from a sophisticated spear-phishing campaign. This operation leverages trust in legitimate court communications to deploy a dangerous...

Sarah simpson
Sarah simpson
January 20, 2026 2 Min Read
29 0

Argentina’s judicial sector is currently under attack from a sophisticated spear-phishing campaign. This operation leverages trust in legitimate court communications to deploy a dangerous Remote Access Trojan.

The campaign uses authentic-looking federal court documents about preventive detention reviews to trick legal professionals into downloading malware.

Security experts have classified this attack as highly targeted, employing multi-stage infection techniques to gain long-term access to sensitive legal and institutional systems.

The attack begins when recipients receive emails containing a ZIP archive that appears to be an official judicial notice.

Inside the archive, attackers have planted a weaponized Windows shortcut file disguised as a PDF, along with a batch script loader and a legitimate-looking court resolution document.

Once the victim clicks on what appears to be a standard PDF file, the malicious execution chain activates while simultaneously displaying a convincing decoy document to avoid suspicion.

This social engineering technique makes the attack particularly effective against judicial personnel who routinely handle court-related documents.

Seqrite analysts identified this campaign and uncovered its sophisticated multi-stage delivery mechanism.

The research team discovered that the malware specifically targets Argentina’s legal sector, including judicial institutions, legal professionals, and government bodies connected to the justice system.

Decoy (Source - Seqrite)
Decoy (Source – Seqrite)

The decoy document mimics authentic Argentine federal court resolutions with remarkable precision, featuring formal legal Spanish, proper case numbering, judicial signatures, and references to real institutions like the Tribunal Oral en lo Criminal y Correccional.

This level of detail significantly increases the campaign’s success rate among its intended victims.

Infection Mechanism: From Shortcut to RAT Deployment

The attack uses a three-stage infection process designed to evade detection. The weaponized LNK file launches PowerShell in hidden mode, bypassing execution policies to run a batch script that connects to GitHub-hosted infrastructure.

Malware execution (Source - Seqrite)
Malware execution (Source – Seqrite)

This script downloads a second-stage payload disguised as “msedge_proxy.exe,” stored in the Microsoft Edge user data directory to appear legitimate.

The final payload is a Rust-based Remote Access Trojan equipped with extensive anti-analysis capabilities.

Infection Chain (Source - Seqrite)
Infection Chain (Source – Seqrite)

The RAT performs comprehensive environment checks before execution, scanning for virtual machines, sandboxes, and debugging tools. If analysis tools are detected, the malware immediately terminates to avoid investigation.

Once operational, it establishes encrypted command-and-control communication, offering attackers capabilities including file exfiltration, persistence installation, credential harvesting, and even ransomware deployment through modular DLL components.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarephishingransomwareSecurity

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Apache Airflow Vulnerabilities Enables Expose of Sensitive Data

Next Post

Hacker Pleads Guilty For Stealing Supreme Court Documents and Leaking via Instagram

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us