PureHVNC RAT Distributed via Weaponized Judicial Documents

The campaign leverages judicial document themes to distribute Hijackloader malware, which subsequently deploys PureHVNC remote access trojan (RAT)—marking the first observed instance where this combination has been used against Spanish-speaking users in Latin America.

The campaign represents a significant tactical shift for threat actors operating in the region. Hijackloader, previously documented in campaigns targeting CrowdStrike customers with RemcosRAT delivery, has now been repurposed to distribute PureHVNC, a malware-as-a-service tool actively sold on underground forums and Telegram channels.

Between August and October 2025, IBM X-Force identified a sophisticated campaign targeting Colombian users through emails impersonating the country’s Attorney General’s office.

Between August and October 2025, IBM X-Force identified This convergence of established attack infrastructure with emerging payload delivery demonstrates the evolving threat landscape facing LATAM organizations.

Threat actors crafted convincing emails falsely claiming to originate from Colombia’s Attorney General’s office, informing recipients that ...