SOC Prime Bias: Critical

21 Jan 2026 19:10
newspaper icon Seqrite

Operation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina’s Judicial Sector to Deploy a Covert RAT

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Operation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina’s Judicial Sector to Deploy a Covert RAT
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Seqrite identified a spear-phishing operation that delivers a weaponized LNK shortcut paired with a malicious BAT loader. Once executed, the loader pulls down a Rust-based remote access trojan from a GitHub repository, where it runs anti-analysis checks and establishes a resilient command-and-control channel. The activity is assessed to target Argentina’s judicial organizations and adjacent government entities. To increase the likelihood of execution, the attackers include legitimate-looking PDF decoy content in the delivery package.

Investigation

Analysts examined the ZIP archive containing the LNK, BAT, and PDF files, then reconstructed the PowerShell command sequence used to trigger the BAT loader. They profiled the RAT’s functionality, including anti-VM/anti-sandbox checks, host reconnaissance and system fingerprinting, persistence setup, and encrypted tasking over C2. The observed behaviors were mapped to relevant MITRE ATT&CK techniques, with notable patterns such as masquerading, PowerShell execution policy bypass, and secondary/fallback C2 logic to maintain connectivity if primary channels fail.

Mitigation

Apply strict governance for shortcut (LNK) execution, particularly from user-writable locations and compressed archives, and enforce hardened PowerShell execution policies with centralized logging. Restrict or proxy outbound access to unauthorized GitHub repositories, and alert on suspicious download-and-execute patterns originating from script interpreters. Monitor for persistence via Run registry keys or scheduled tasks with anomalous or newly observed names. Where feasible, deploy detections that surface common anti-analysis behaviors and ensure users handling PDFs operate under least privilege to reduce the blast radius of successful execution.

Response

Trigger alerts when the weaponized LNK is created or executed, and when the associated PowerShell invocation chain is observed. Proactively hunt for the dropped msedge_proxy.exe artifact and any linked persistence entries in the registry or task scheduler. Isolate affected endpoints, terminate the malicious process tree, and remove any created scheduled tasks and Run-key values. Complete a full forensic review to validate scope, confirm whether data was staged or exfiltrated, and identify any additional hosts exposed to the same ZIP/LNK delivery pattern.

"graph TB %% Class definitions classDef action fill:#99ccff classDef artifact fill:#cccccc classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef operator fill:#ff9900 %% Nodes artifact_email_zip["<b>Artifact</b> – Malicious Email ZIP<br/><b>Content</b>: Contains LNK file and decoy PDF."] class artifact_email_zip artifact artifact_lnk["<b>Artifact</b> – LNK file (info/juicio-grunt-posting.pdf.lnk)<br/><b>Technique</b>: T1027.012 Icon Smuggling"] class artifact_lnk artifact attack_initial_access["<b>Action</b> – T1566.001 Spearphishing Attachment<br/><b>Description</b>: Delivery of malicious ZIP via email."] class attack_initial_access action attack_user_execution["<b>Action</b> – T1204.002 Malicious File Execution<br/><b>Description</b>: User clicks the LNK masquerading as PDF."] class attack_user_execution action defense_evasion_icon["<b>Action</b> – T1027.012 LNK Icon Smuggling<br/><b>Description</b>: LNK uses PDF icon to disguise itself."] class defense_evasion_icon action execution_powershell["<b>Action</b> – T1059.001 PowerShell & T1059.003 Windows Command Shell<br/><b>Description</b>: LNK launches PowerShell with bypass and hidden window, running a BAT loader."] class execution_powershell action defense_evasion_obfusc["<b>Action</b> – T1027 Obfuscated/Encoded Commands<br/><b>Description</b>: PowerShell command and C2 messages are Base64u2011encoded."] class defense_evasion_obfusc action artifact_bat["<b>Artifact</b> – health-check.bat<br/><b>Purpose</b>: Downloads and saves msedge_proxy.exe."] class artifact_bat artifact malware_rust_rat["<b>Malware</b> – msedge_proxy.exe (Rust RAT)<br/><b>Techniques</b>: T1497.001 Virtualization/Sandbox Evasion, T1622 Debugger Evasion, T1547.001 Registry Run Keys, T1053.005 Scheduled Task"] class malware_rust_rat malware defense_evasion_sandbox["<b>Action</b> – T1497.001 Virtualization/Sandbox Evasion & T1622 Debugger Evasion<br/><b>Description</b>: Checks registry, drivers, MAC prefixes, sandbox folders, IsDebuggerPresent."] class defense_evasion_sandbox action persistence_registry["<b>Action</b> – T1547.001 Registry Run Keys / Startup Folder<br/><b>Description</b>: Creates HKCU Run entries for persistence."] class persistence_registry action persistence_task["<b>Action</b> – T1053.005 Scheduled Task<br/><b>Description</b>: Registers a scheduled task via schtasks with delayed execution."] class persistence_task action discovery_system["<b>Action</b> – T1082 System Information Discovery<br/><b>Description</b>: Collects hostname, username, OS version, privilege level."] class discovery_system action discovery_process["<b>Action</b> – T1057 Process Discovery<br/><b>Description</b>: Runs tasklist to detect analysis tools and VM processes."] class discovery_process action collection_local["<b>Action</b> – T1005 Data from Local System<br/><b>Description</b>: Harvests files for exfiltration."] class collection_local action c2_app_layer["<b>Action</b> – T1071 Application Layer Protocol & T1573 Encrypted Channel<br/><b>Description</b>: Communicates with C2 server over HTTP(S) using encrypted payloads."] class c2_app_layer action c2_encoding["<b>Action</b> – T1132.001 Data Encoding (Base64)<br/><b>Description</b>: All C2 commands are Base64u2011encoded."] class c2_encoding action exfiltration["<b>Action</b> – T1041 Exfiltration Over C2 Channel<br/><b>Description</b>: Sends collected data via the same C2 channel."] class exfiltration action %% Flow connections artifact_email_zip –>|contains| artifact_lnk artifact_email_zip –>|delivers| attack_initial_access attack_initial_access –>|leads to| attack_user_execution attack_user_execution –>|triggers| defense_evasion_icon defense_evasion_icon –>|leads to| execution_powershell execution_powershell –>|runs| artifact_bat artifact_bat –>|downloads| malware_rust_rat malware_rust_rat –>|performs| defense_evasion_sandbox defense_evasion_sandbox –>|establishes| persistence_registry persistence_registry –>|adds| persistence_task persistence_task –>|enables| discovery_system discovery_system –>|feeds| discovery_process discovery_process –>|collects| collection_local collection_local –>|sends to| c2_app_layer c2_app_layer –>|uses| c2_encoding c2_encoding –>|transports| exfiltration %% Apply classes class artifact_email_zip,artifact_lnk,artifact_bat artifact class attack_initial_access,attack_user_execution,defense_evasion_icon,execution_powershell,defense_evasion_obfusc,defense_evasion_sandbox,persistence_registry,persistence_task,discovery_system,discovery_process,collection_local,c2_app_layer,c2_encoding,exfiltration action class malware_rust_rat malware "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:

    1. Initial Compromise: The attacker sends a spear‑phishing email with a weaponized .lnk shortcut targeting a judicial employee. The shortcut points to a PowerShell command that runs with -ExecutionPolicy Bypass and a hidden window to avoid suspicion.

    2. Execution Flow: When the user clicks the shortcut, Windows runs the following command, which launches health‑check.bat. The batch file contains the real malicious payload (e.g., a PowerShell downloader that fetches a RAT).

       powershell.exe -ep bypass -w hidden -f health-check.bat

    3. Payload Delivery: health-check.bat performs a quiet HTTP GET to a malicious C2, writes the payload to %TEMP%, and executes it.

  • Regression Test Script: The script below reproduces the exact telemetry by creating health‑check.bat with harmless content (to keep the test safe) and then invoking the PowerShell command.

    # -------------------------------------------------
# Simulation Script – Weaponized LNK PowerShell Exec
# -------------------------------------------------
# 1. Create a dummy health-check.bat (harmless for testing)
$batPath = "$env:TEMPhealth-check.bat"
Set-Content -Path $batPath -Value '@echo off & echo Simulated payload executed' -Encoding ASCII

# 2. Execute PowerShell with the exact flags and script name
$psCommand = "powershell.exe -ep bypass -w hidden -f `"$batPath`""
Write-Host "Executing: $psCommand"
Start-Process -FilePath "powershell.exe" -ArgumentList "-ep", "bypass", "-w", "hidden", "-f", $batPath -NoNewWindow

# 3. Wait a few seconds to ensure logs are generated
Start-Sleep -Seconds 5
# -------------------------------------------------

  • Cleanup Commands: Remove the test batch file and any lingering processes.

    # Cleanup the dummy health-check.bat
Remove-Item -Path "$env:TEMPhealth-check.bat" -ErrorAction SilentlyContinue

# Ensure no stray PowerShell instances from the test remain
Get-Process -Name "powershell" -ErrorAction SilentlyContinue | Stop-Process -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free