Acronis TRU Uncovers Shadow Vector Malware Campaign

Acronis Threat Research Unit (TRU) has uncovered an active and highly targeted malware campaign known as "Shadow Vector," which is currently affecting users in Colombia. This campaign leverages malicious Scalable Vector Graphics (SVG) files masquerading as urgent legal notifications to bypass email filters and deceive recipients into downloading remote access malware.

In the latest wave of phishing attacks, threat actors have been distributing emails that impersonate trusted judicial institutions in Colombia. These emails include embedded SVG decoys that render cleanly in browsers, allowing the attackers to evade detection mechanisms and increase user engagement. Once opened, the SVG files direct victims to download password-protected ZIP archives hosted on public platforms such as Bitbucket, Discord, Dropbox, and YDRAY. These archives typically contain legitimate-looking executables alongside malicious dynamic-link libraries (DLLs), initiating a sophisticated multi-stage infection process.

The core payloads in the Shadow Vector campaign include AsyncRAT and RemcosRAT—two well-known remote access tools frequently used for espionage, credential harvesting, and full system compromise. These payloads are deployed using DLL side-loading techniques, often involving the use of signed but vulnerable software to execute malicious code within trusted system processes. In many instances, the attackers have employed a .NET loader consistent with the Katz Loader, exhibiting advanced evasion capabilities such as UAC bypass, process injection, anti-analysis functions, and persistent mechanisms. Payloads are sometimes concealed as Base64 strings within text or image files retrieved from publicly accessible archives, including the Internet Archive.

The campaign’s use of social engineering is both deliberate and precise. The phishing emails mimic court communications and legal documents, featuring realistic visual elements and minimal variance to maintain a credible appearance.

The Shadow Vector campaign exemplifies the evolving technical sophistication of regional cybercriminals in Latin America. By combining traditional social engineering with modern obfuscation and privilege escalation tactics, the attackers behind this campaign demonstrate increasing operational maturity and flexibility. While the current focus appears to be the theft of confidential information and credentials, the techniques employed suggest that the infrastructure could easily be repurposed for more destructive outcomes, such as ransomware deployment.

Acronis TRU continues to monitor the campaign closely and urges users and organizations—especially in Colombia—to remain vigilant, update their security tools, and educate employees about the dangers of interacting with unsolicited court-themed attachments or downloads.