Full Report
Table of Contents: Introduction: Infection Chain: Targeted sectors: Initial Findings about Campaign: Analysis of Decoy: Technical Analysis: Stage-1: Analysis of Windows Shortcut file (.LNK). Stage-2: Analysis of Batch file. Stage-3: Details analysis of Covert RAT. Conclusion: Seqrite Coverage: IOCs MITRE ATT&CK Introduction: Seqrite Labs has identified and uncovered a globally active spear-phishing campaign targeting Argentina’s […] The post Operation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina’s Judicial Sector to Deploy a Covert RAT appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Incident Report: Operation Covert Access - LNK-Based Spear-Phishing against Argentine Judiciary
## Executive Summary
Seqrite Labs uncovered a sophisticated, globally active spear-phishing campaign targeting Argentina’s judicial sector. The attack utilized weaponized Windows Shortcut (.LNK) files embedded in emails, leading to a multi-stage execution chain culminating in the deployment of a stealthy, Rust-based Remote Access Trojan (RAT). The campaign maximized social engineering by using authentic-looking decoy court rulings to facilitate persistence and long-term access to sensitive institutional data.
## Incident Details
- **Discovery Date:** Disclosed data published on January 19, 2026 (Implied discovery shortly prior).
- **Incident Date:** Ongoing activity leading up to the report date.
- **Affected Organization:** Not explicitly named, but the targeted entities are part of Argentina’s Judicial Sector.
- **Sector:** Judicial System, Legal Professionals, Government (Justice-adjacent bodies).
- **Geography:** Argentina (Primary Focus), South America.
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Occurred prior to 2026-01-19).
- **Vector:** Spear-Phishing Email attachment (ZIP archive).
- **Details:** Attackers sent targeted emails containing a ZIP archive. This archive held a malicious `.LNK` file, a `.BAT` loader script, and a legitimate-looking PDF decoy document (Argentine federal court ruling).
### Execution Chain Progression
1. **Stage 1 (.LNK Execution):** The victim executes the LNK file (`juicio-grunt-posting.pdf.lnk`). This executes the payload while simultaneously displaying the decoy PDF (`notas.pdf`) to prevent immediate suspicion.
2. **Stage 2 (BAT Loader):** The LNK triggers a Batch file (`health-check.bat`) which sets up the environment and likely handles initial defense evasion and deployment coordination.
3. **Stage 3 (RAT Deployment):** The BAT loader executes the final payload, a covert Remote Access Trojan (RAT) written in Rust, achieving persistence on the compromised system.
### Lateral Movement
- Techniques observed included Command and Control (C2) over encrypted or obfuscated channels (T1573, T1132) and potential use of **Remote Services (T1021)**.
### Data Exfiltration/Impact
- **Impact:** The goal was to establish persistent access to sensitive legal and institutional data via the deployed Covert RAT.
- **Data Accessed:** Data from Local System (T1005) potentially including sensitive legal case files.
### Detection & Response
- **Detection:** Identified and uncovered by Seqrite Labs through analysis of the malware activity and infection chain.
- **Response Actions:** Seqrite documented the IOCs and published technical analysis, aimed at providing defensive coverage (Seqrite Coverage).
## Attack Methodology
| MITRE Stage | Technique Name | Technique ID |
|---|---|---|
| **Initial Access** | Spear phishing Attachment | T1566.001 |
| | User Execution: Malicious File | T1204.002 |
| | Archive via Email | T1566.001 |
| **Execution** | Windows Command Shell | T1059.003 |
| | PowerShell | T1059.001 |
| | Scheduled Task Execution | T1053.005 |
| **Defense Evasion** | Masquerading (LNK as PDF) | T1036.004 |
| | Hidden Window | T1564.003 |
| | Obfuscated / Encoded Commands (Base64) | T1027 |
| | Virtualization / Sandbox Evasion | T1497 |
| **Discovery** | System Information Discovery | T1082 |
| | Process Discovery | T1057 |
| **Persistence** | Registry Run Keys / Startup Folder | T1547.001 |
| | Scheduled Task / Job | T1053.005 |
| | WMI Event Subscription | T1546.003 |
| **Command and Control** | Application Layer Protocol (C2 using Web Protocols) | T1071.001 |
| | Encrypted Channel (Symmetric Cryptography) | T1573.001 |
| **Collection** | Data from Local System | T1005 |
| | Archive Collected Data | T1560 |
| **Exfiltration** | Exfiltration Over C2 Channel | T1041 |
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Highly likely access to sensitive legal documents, official judicial communications, and case files pertaining to Argentine federal courts.
- **Operational:** Potential disruption to sensitive judicial processes due to covert long-term surveillance.
- **Reputational:** Significant risk, particularly for the targeted judicial bodies, due to exposure of confidential data via a high-profile cyber intrusion.
## Indicators of Compromise
- **Network IOCs (Defanged URL/IP):**
- C2 IP: `181[.]231[.]253[.]69:4444`
- **File IOCs:**
- ZIP Archive Hash (Implied): `13adde53bd767d17108786bcc1bc0707c2411a40f11d67dfa9ba1a2c62cc5cf3`
- Malicious LNK File: `info/juicio-grunt-posting.pdf.lnk`
- Loader Script: `info/health-check.bat`
- Final Payload: `msedge_proxy[.]exe` (Likely the disguised service/RAT executable)
- **Behavioral Indicators:**
- Execution chain initiated by LNK file masquerading as a PDF shortcut.
- Use of a Rust-based RAT for stealthy command and control.
## Response Actions
- **Containment:** Not explicitly detailed, but likely involved network segmentation and isolating compromised systems identified via behavioral analysis.
- **Eradication:** Removing the scheduled tasks, registry persistence mechanisms, and the deployed RAT executables.
- **Recovery:** Restoring system integrity and potentially resetting credentials used by compromised accounts.
## Lessons Learned
- **Sophisticated Social Engineering:** Attackers successfully leveraged highly specific, authoritative, and routine judicial documents (preventive detention reviews) to bypass user skepticism.
- **Multi-Stage Stealth:** The use of LNK -> BAT -> Rust RAT progression provided multiple stages for deployment while hiding the ultimate malicious goal behind a seemingly innocuous decoy PDF.
- **Modern Tooling:** The deployment of a Rust-based RAT suggests the use of modern programming languages chosen for their low observability and potential sandbox evasion capabilities.
## Recommendations
1. **Enhanced Email Filtering:** Implement advanced sandboxing and file type analysis, specifically targeting LNK files delivered within archives, regardless of the attached file extension camouflage.
2. **User Training:** Conduct sector-specific security awareness training focused on identifying highly realistic spear-phishing attempts concerning official legal or judicial documentation.
3. **Application Control:** Enforce strict application whitelisting and execution policies to restrict unauthorized execution of scripts (like BAT files) launched from user interaction points.
4. **Behavioral Monitoring:** Deploy EDR solutions capable of detecting suspicious activity chained from shortcut files, especially those that execute command-line interpreters or create scheduled tasks.