IBM X-Force has identified a coordinated phishing campaign targeting Colombian users between August and October 2025 that leverages spoofed judicial communications to distribute the PureHVNC Remote Access Trojan (RAT) through the Hijackloader malware loader.
This campaign represents a notable shift in threat actor tactics, as it marks the first observed instances of PureHVNC being delivered to Spanish-speaking users and the initial Hijackloader campaign specifically targeting Latin American victims with this particular payload combination.
The attack chain begins with deceptive phishing emails impersonating the Attorney General’s office of Colombia, claiming that a lawsuit filed by a former employee is being processed in labor courts.
Recipients are prompted to download an “official document” through SVG file links hosted on Google Drive. When victims click the download button while viewing the document preview, a ZIP archive is extracted containing multiple files, including a password-protected executable.
The password is provided on the download complete page, lowering victim friction during the infection process. Once executed, the malware initiates the multi-stage infection chain that ultimately delivers PureHVNC to the compromised system.
Technical Infection Chain and Evasion Mechanisms
The infection payload, disguised as “02 BOLETA FISCAL.exe,” is actually a renamed javaw.exe file designed to trigger DLL side-loading attacks. When launched, the system loads a malicious JLI.dll from the same directory, which in turn loads MSTH7EN.DLL.
This second-stage payload contains encrypted configuration data and proceeds to load shellcode into vssapi.dll through DLL hollowing, changing memory protections to facilitate code injection.
The shellcode then reads the Plagkeg.zk file, which contains additional encrypted modules and configuration information needed to load the final PureHVNC RAT payload.
Hijackloader employs sophisticated evasion techniques to evade detection by security products. The malware implements indirect API calling using stack spoofing and code patching to mask the origins of suspicious system calls.
It unhooks NTDLL functions by comparing the in-memory copy against a clean mapped version and restores original bytes when hooks are detected.
The malware also performs multiple anti-virtualization and anti-sandbox checks, including hypervisor detection, timing-based anti-debugging analysis, RAM and processor core verification, and username validation. These checks ensure the malware only executes in legitimate user environments.
Persistence and Campaign Significance
Hijackloader establishes persistence through scheduled tasks or LNK shortcuts placed in startup folders, ensuring the final PureHVNC payload maintains access across system reboots.
The command and control infrastructure utilizes the DuckDNS domain sofiavergara[.]duckdns[.]org for command delivery.
Security researchers should note that PureHVNC is commercially available on underground forums and Telegram channels as part of the PureCoder toolset, making it accessible to diverse threat actors targeting Latin American markets.
X-Force recommends organizations enable file extension visibility, scrutinize email attachments from untrusted sources, monitor DuckDNS traffic patterns, and implement robust endpoint security controls to detect and prevent this campaign’s indicators of compromise.
Indicators of compromise
| Indicator | Indicator Type | Context |
| troquelesmyj[@]gmail.com | Sender email | |
| nuevos777[.]duckdns[.]org | Domain | C2 Domain |
| 7octubredc[.]duckdns[.]org | Domain | C2 Domain |
| dckis13[.]duckdns[.]org | Domain | C2 Domain |
| dckis7[.]duckdns[.]org | Domain | C2 Domain |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
_imresizer.jpg?resize=1068,580&ssl=1&description=PureHVNC RAT - IBM X-Force has identified a coordinated phishing campaign targeting Colombian users between August and October.){kind=link}