Attackers Abuse Court Documents, GitHub Payloads to Infect Judicial Targets With COVERT RAT

A new wave of targeted attacks is quietly hitting Argentina’s judicial system, using fake court documents to lure legal professionals into installing a dangerous piece of malware.

The campaign, formally called Operation Covert Access, deploys a Rust-built Remote Access Trojan known as COVERT RAT via spear-phishing emails that closely mimic genuine federal court communications.

Once inside a system, the threat gives attackers persistent control over the infected machine and everything stored on it.

The operation takes direct aim at Argentina’s legal ecosystem — federal courts, law practitioners, government justice agencies, academic institutions, and advocacy organizations.

Attackers constructed phishing emails around real Argentine federal court rulings covering preventive detention reviews, knowing that judicial professionals would not question the legitimacy of such documents.

That careful choice of subject matter is precisely what makes this campaign so effective — it exploits trust in the legal process rather than relying on curiosity or fear alone.

Point Wild analysts identified and investigated the operation, building on foundational research published by Seqrite.

Their work provided an in-depth breakdown of the PowerShell execution flow, payload retrieval techniques, and the masquerading methods attackers used throughout each stage.

The analysis confirmed that this is not a simple one-step attack but a layered intrusion effort crafted to remain unnoticed inside institutional networks for as long as possible.

The threat goes far beyond basic surveillance. COVERT RAT connects back to a command-and-control server at 181.231.253.69:4444, from which attackers can issue encoded instructions covering everything from file theft to ransomware deployment.

Its modular design supports credential harvesting, privilege escalation, encrypted file operations, and persistent re-access.

What makes it particularly concerning is its built-in cleanup capability — when operators are finished, a single command erases every trace of the malware, making post-incident forensics significantly harder.

The delivery method behind this campaign is deliberately layered. A phishing email drops a ZIP archive containing three components: a Windows shortcut (LNK) file, a batch loader script, and a convincing judicial PDF decoy.

When the target opens the shortcut, the malicious script runs quietly in the background while the decoy PDF opens normally in the foreground.

The final payload then hides itself as msedge_proxy.exe within Microsoft Edge’s user data folder — a calculated move to blend in with trusted system processes.

Multi-Stage Infection Mechanism

When the recipient opens the shortcut file, named juicio-grunt-posting.pdf.lnk and dressed up with a PDF icon, it silently invokes PowerShell with the execution policy disabled and hidden mode enabled.

This immediately triggers the batch loader, health-check.bat, which reaches out to a GitHub-hosted repository and downloads the RAT payload.

Using GitHub as a delivery channel adds perceived legitimacy, since traffic to the platform rarely triggers network-level alerts.

Once downloaded, the payload executes through PowerShell’s Start-Process command and stores itself as msedge_proxy.exe.

The malware then runs environment checks — querying the system manufacturer through WMIC, scanning the tasklist for tools like Wireshark, OllyDbg, and x64dbg, and examining registry paths linked to VMware, VirtualBox, and Hyper-V.

It also inspects the Process Environment Block (PEB) for active debuggers and measures timing behavior using QueryPerformanceFrequency to catch emulated environments.

Only when every check passes does the RAT proceed to beacon its C2 server and await operator commands.

Security teams and individuals working within judicial or legal environments should act on the following:

• Keep antivirus software updated and ensure real-time protection remains active at all times.
• Never open email attachments from unverified senders, especially compressed archive files.
• Avoid clicking on suspicious links or downloading files from sources outside official channels.
• Monitor running processes in Task Manager regularly and investigate unfamiliar entries like msedge_proxy.exe.
• Do not install cracked or pirated software, as these commonly serve as secondary infection vectors.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.