Shadow Vector Malware Weaponizes SVG Files to Distribute AsyncRAT and RemcosRAT Payloads

Acronis Threat Research Unit (TRU) has uncovered and analyzed a sophisticated malware campaign dubbed “Shadow Vector,” actively targeting organizations and individuals in Colombia using malicious SVG (Scalable Vector Graphics) files to deploy high-impact remote administration tools (RATs) AsyncRAT and RemcosRAT.

The operation leverages SVG-based social engineering, multilayered obfuscation techniques, DLL side loading, and privilege escalation via vulnerable drivers, indicating a notable evolution in the tradecraft of Latin American threat actors.

SVG-Based Initial Access

The campaign’s infection chain begins with highly targeted spear-phishing emails, often impersonating Colombia’s judicial authorities, which contain SVG attachments masquerading as official court notifications.

These SVG files exploit “smuggling” now a recognized technique in the MITRE ATT&CK framework by embedding malicious URLs or scripts while maintaining innocuous visual rendering in email clients and browsers.

This tactic allows phishers to bypass standard email security filters and prompt user engagement.

Once users access the SVG, they are redirected to publicly hosted payloads on platforms such as Bitbucket, Dropbox, and Discord CDN, or are provided with password-protected ZIP archives containing the next-stage payloads.

These archives, often to further reduce automated inspection, require manual extraction using passwords displayed in the decoy content or within the email body.

Multistage Intrusion Chain

The extracted ZIPs typically include a legitimate executable coupled with multiple DLLs, one or more of which are malicious and engineered for side-loading.

When users launch the benign-appearing executable (for example, named vcredist.exe), Windows’ DLL search order loads the attacker’s weaponized DLL.

According to Acronis Report, this DLL manipulates PE headers and employs anti-analysis mechanisms to evade detection, then hollow out processes and inject AsyncRAT or RemcosRAT in-memory for full compromise.

RemcosRAT deployment goes a step further by abusing legitimate drivers like vulnerable versions of Zemana and WiseCleaner (CVE-2022-42045, CVE-2023-1486) to obtain kernel-level privileges.

The attackers drop signed, exploitable drivers into %Temp%, launch them as services, and register the malware for elevated execution using DeviceIoControl calls, before establishing persistence via scheduled tasks and registry modifications.

Anti-VM and sandbox checks, process enumeration, and targeted AV process killing further reinforce evasion.

Recent Shadow Vector variants exhibit a modular loader architecture, similar to the Katz Loader, supporting UAC bypass (via cmstp.exe), anti-debugging, encrypted configuration blobs, and dynamic process injection.

The loader can fetch payloads in-memory sometimes embedding them in Base64 within benign images or text hosted on platforms like the Internet Archive ensuring minimal artifacts remain on disk.

Notably, the loader includes Portuguese-language code strings and variables, aligning with the TTPs of Brazilian financial cybercrime groups, suggesting possible cross-border tooling reuse.

Once delivered, AsyncRAT and RemcosRAT enable a broad set of malicious activities: system reconnaissance, keylogging, credential and cryptocurrency wallet theft, persistent remote access, and execution of C2-controlled plugins (e.g., process termination, clipboard snooping, browser credential extraction).

The infrastructure supports redundancy and fallback mechanisms for C2 reachability, and the campaign’s operational flexibility points to potential future pivots such as ransomware deployment.

This threat demonstrates the rapid adaptation and regional specialization of cybercrime in Latin America, with attackers leveraging both public cloud infrastructure and advanced code to evade defenses and maximize victim engagement.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates