Shadow Vector Malware Weaponizes SVG Files to Distribute AsyncRAT and RemcosRAT Payloads

Acronis Threat Research Unit (TRU) has uncovered and analyzed a sophisticated malware campaign dubbed “Shadow Vector,” actively targeting organizations and individuals in Colombia using malicious SVG (Scalable Vector Graphics) files to deploy high-impact remote administration tools (RATs) AsyncRAT and RemcosRAT.

The operation leverages SVG-based social engineering, multilayered obfuscation techniques, DLL side loading, and privilege escalation via vulnerable drivers, indicating a notable evolution in the tradecraft of Latin American threat actors.

SVG-Based Initial Access

The campaign’s infection chain begins with highly targeted spear-phishing emails, often impersonating Colombia’s judicial authorities, which contain SVG attachments masquerading as official court notifications.

Shadow Vector Malware
Phishing email impersonating Colombia’s labor court

These SVG files exploit “smuggling” now a recognized technique in the MITRE ATT&CK framework by embedding malicious URLs or scripts while maintaining innocuous visual rendering in email clients and browsers.

This tactic allows phishers to bypass standard email security filters and prompt user engagement.

Once users access the SVG, they are redirected to publicly hosted payloads on platforms such as Bitbucket, Dropbox, and Discord CDN, or are provided with password-protected ZIP archives containing the next-stage payloads.

These archives, often to further reduce automated inspection, require manual extraction using passwords displayed in the decoy content or within the email body.

Multistage Intrusion Chain

The extracted ZIPs typically include a legitimate executable coupled with multiple DLLs, one or more of which are malicious and engineered for side-loading.

When users launch the benign-appearing executable (for example, named vcredist.exe), Windows’ DLL search order loads the attacker’s weaponized DLL.

According to Acronis Report, this DLL manipulates PE headers and employs anti-analysis mechanisms to evade detection, then hollow out processes and inject AsyncRAT or RemcosRAT in-memory for full compromise.

RemcosRAT deployment goes a step further by abusing legitimate drivers like vulnerable versions of Zemana and WiseCleaner (CVE-2022-42045, CVE-2023-1486) to obtain kernel-level privileges.

The attackers drop signed, exploitable drivers into %Temp%, launch them as services, and register the malware for elevated execution using DeviceIoControl calls, before establishing persistence via scheduled tasks and registry modifications.

Shadow Vector Malware
Flowchart of a multistage malware attack 

Anti-VM and sandbox checks, process enumeration, and targeted AV process killing further reinforce evasion.

Recent Shadow Vector variants exhibit a modular loader architecture, similar to the Katz Loader, supporting UAC bypass (via cmstp.exe), anti-debugging, encrypted configuration blobs, and dynamic process injection.

The loader can fetch payloads in-memory sometimes embedding them in Base64 within benign images or text hosted on platforms like the Internet Archive ensuring minimal artifacts remain on disk.

Notably, the loader includes Portuguese-language code strings and variables, aligning with the TTPs of Brazilian financial cybercrime groups, suggesting possible cross-border tooling reuse.

Once delivered, AsyncRAT and RemcosRAT enable a broad set of malicious activities: system reconnaissance, keylogging, credential and cryptocurrency wallet theft, persistent remote access, and execution of C2-controlled plugins (e.g., process termination, clipboard snooping, browser credential extraction).

The infrastructure supports redundancy and fallback mechanisms for C2 reachability, and the campaign’s operational flexibility points to potential future pivots such as ransomware deployment.

This threat demonstrates the rapid adaptation and regional specialization of cybercrime in Latin America, with attackers leveraging both public cloud infrastructure and advanced code to evade defenses and maximize victim engagement.

Indicators of Compromise (IOCs)

TypeValue / SHA256
SVG File64e971f0fed4da9d71cd742db56f73b6f7da8fec3b8aebd17306e8e0d4f1d29d
SVG File4d292a785ec35530bac5f4674a97c0dffa2a2396bd8b0cc6f8b478ba13d73611
SVG Filed713793b0b6dd1fe7c2432a28069745bc4bf97c098f1217de0731c7ed7c1d70a
Payload0e5a768a611a4d0ed7cb984b2ee790ad419c6ce0be68c341a2d4f64c531d8122
Payloadb04ea3c83515c3daf2de76c18e72cb87c0772746ec7369acce8212891d0d8997
Zip Archivebf596502f05062d156f40322bdbe9033b28df967ce694832a78482b47dcdd967
Zip Archive53cad386b6af155952380eb8050eebef368836bcb035dffe2ca8a58ae22c055c
C2 Domainasynk02[.]duckdns[.]org
Bitbucketnotificaciones-judiciales2025-2005

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

Mandvi
Mandvi
Mandvi is a Security Reporter covering data breaches, malware, cyberattacks, data leaks, and more at Cyber Press.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here