Acronis Threat Research Unit (TRU) has identified an ongoing and highly targeted malware campaign called “Shadow Vector,” which is primarily affecting users in Colombia. The campaign uses deceptive Scalable Vector Graphics (SVG) files disguised as urgent legal notifications to bypass email filters and trick recipients into downloading remote access malware.
In this latest wave of phishing attacks, cybercriminals have been sending emails that impersonate trusted Colombian judicial institutions. These emails contain embedded SVG files that display correctly in browsers, making it easier for the attackers to avoid detection and increase user interaction. When opened, the SVG files lead victims to download password-protected ZIP files hosted on popular platforms such as Bitbucket, Discord, Dropbox, and YDRAY. Inside these archives are seemingly legitimate executables, along with malicious dynamic-link libraries (DLLs), which trigger a complex, multi-stage infection process.
The Shadow Vector campaign’s core payloads include AsyncRAT and RemcosRAT—two widely used remote access tools that enable espionage, credential theft, and full system compromise. These payloads are deployed using DLL side-loading techniques, often exploiting signed but vulnerable software to execute harmful code within trusted system processes. Many of the attacks also use a .NET loader, similar to Katz Loader, which employs advanced evasion tactics like UAC bypass, process injection, anti-analysis measures, and persistence techniques. In some cases, payloads are hidden as Base64-encoded strings within text or image files found in publicly accessible archives, including the Internet Archive.
A key feature of this campaign is its use of social engineering, which is highly deliberate and crafted to appear genuine. The phishing emails mimic official court communications and legal documents, featuring realistic visuals with minimal changes to maintain their believability.
The Shadow Vector campaign highlights the increasing sophistication of cybercriminals in Latin America. By combining traditional social engineering with modern obfuscation and privilege escalation techniques, the attackers show growing operational expertise and adaptability. Although the immediate goal seems to be the theft of sensitive information and credentials, the techniques involved suggest that the infrastructure could easily be leveraged for more destructive attacks, such as ransomware.
Acronis TRU is actively monitoring this campaign and urges both individuals and organizations—especially those in Colombia—to stay alert, keep their security tools up to date, and educate employees about the risks of opening unsolicited attachments or downloading files that appear to be court-related.
Acronis is a global leader in cyber protection, offering integrated cybersecurity, data protection, and endpoint management solutions. Designed for managed service providers (MSPs), small and medium businesses (SMBs), and enterprise IT teams, Acronis’ tools help identify, prevent, detect, and respond to modern cyber threats with minimal downtime, ensuring data integrity and business continuity.
Founded in Singapore in 2003 and now based in Switzerland, Acronis operates in over 50 countries with 15 global offices. Its Cyber Protect platform is available in 26 languages and used by over 20,000 service providers to protect more than 750,000 businesses.
