SVG Image Exploit – Shadow Vector Malware Uses Malicious Files to Spread AsyncRAT and RemcosRAT

Cybercriminals are leveraging a sophisticated malware campaign dubbed Shadow Vector, which has been uncovered by the Acronis Threat Research Unit (TRU).

This operation targets users in Colombia by distributing what appear to be urgent court notifications via email.

The malicious emails carry SVG (Scalable Vector Graphics) file attachments a file format known for rendering cleanly in web browsers and often evading traditional email security filters.

SVG smuggling, a technique recently formalized under the MITRE ATT&CK framework, is central to the operation.

The phishing emails mimic correspondence from Colombia’s labor court, using urgency and official branding to pressure victims into interacting with the attachment.

Diagram of a multistage attack delivering RemcosRAT through phishing and DLL side-loading, followed by driver-based privilege escalation.

The SVG files contain embedded links leading to password-protected ZIP archives hosted on public file-sharing platforms, including Bitbucket, Dropbox, Discord CDN, and YDRAY.

This method enables attackers to blend malicious payloads with legitimate traffic, thereby bypassing basic detection systems.

Once victims open the SVG and download the ZIP, they are prompted to extract an executable and several DLLs, one of which is malicious and exploits DLL side-loading to inject malware.

The infection chain typically delivers AsyncRAT and RemcosRAT, both notorious remote access trojans (RATs) favored for data theft.

The legitimate-looking executable (often named something like vcredist.exe) loads a malicious DLL, which starts the infection.

Attackers manipulate file structures by inserting extra bytes at the PE header to disrupt automated analysis and evade detection.

The payload creates a suspended legitimate process and performs process hollowing, using functions like NtAllocateVirtualMemory, Wow64SetThreadContext, and NtResumeThread to inject and execute malicious code under the guise of a trusted process.

Advanced Evasion and Data Exfiltration

Shadow Vector utilizes multiple evasion tactics. During execution, it checks the environment for indicators of analysis such as virtual machines, debuggers, and sandbox environments and terminates if such indicators are detected.

The malware configuration, often encrypted using AES and embedded within the payload, contains command-and-control (C2) server details, installation flags, and other runtime settings, all of which are decrypted at execution.

The payload establishes persistence by copying itself to a new location and creating scheduled tasks or registry keys to auto-start on login, sometimes using string reversal techniques for added obfuscation.

Malicious behaviors include keylogging, capturing screenshots, and scanning for cryptocurrency wallets and browser extensions across multiple browsers.

Once connected to the C2 server, the malware transmits sensitive data, including hardware IDs, usernames, OS details, and wallet presence.

In later variants, the Shadow Vector campaign has expanded its tactics, deploying modular loaders and using PowerShell and JavaScript stagers for in-memory execution, which reduces disk artifacts and makes detection and analysis even more challenging.

Some loader samples feature Portuguese-language strings, suggesting possible code reuse or collaboration with Brazilian-based cybercriminals.

Mitigation and Response

The Colombian judiciary has issued advisories warning users about these attacks and urging caution when handling emails that prompt document downloads.

To protect against such threats, organizations should implement robust email filtering, educate users about the risks of opening attachments from unknown sources, and utilize advanced endpoint detection and response (EDR) solutions that can detect process hollowing and in-memory attacks.