{
  "name": "COVERT RAT: Phishing Campaign",
  "slug": "covert-rat-phishing-campaign",
  "description": "A sophisticated multi-stage infection chain targets Argentina's judicial ecosystem using spear-phishing tactics and authentic-looking judicial content. The campaign employs a carefully crafted ZIP archive containing a weaponized LNK shortcut, BAT-based loader script, and judicial-themed PDF decoy. The attack chain leads to the deployment of a Rust-based Remote Access Trojan (RAT) that demonstrates extensive anti-VM, anti-sandbox, and anti-debugging techniques. The RAT establishes a resilient command-and-control channel, supports modular commands for various malicious activities, and implements full lifecycle management. The operation, dubbed 'Operation Covert Access,' aims to secure long-term access within high-trust institutional settings, highlighting the need for improved defenses against socially engineered intrusion chains.",
  "published": "2026-03-16T14:29:07+00:00",
  "created_at": "2026-03-16T14:29:07+00:00",
  "modified_at": "2026-03-16T17:22:04+00:00",
  "created_at_opencti": "2026-03-16T14:29:07+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-03-16",
    "anti-analysis",
    "argentina",
    "covert rat",
    "judicial-sector",
    "multi-stage infection",
    "phishing",
    "remote access trojan",
    "rust-based malware",
    "spear-phishing"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "181.231.253.69"
      },
      {
        "id": "",
        "name": "4612c90cdfb7e43b4e9afe2a37a82d8b925bab3fd3838b24ec73b0e775afdb75"
      },
      {
        "id": "",
        "name": "10bbc5e192c3d01100031634d4e93f0be4becbe0a63f3318dd353e0f318e43de"
      },
      {
        "id": "",
        "name": "6ae4222728240a566a1ca8c8873eab3b0659a28437877e4450808264848ab01e"
      },
      {
        "id": "",
        "name": "37e6da4c813557f09fa2336b43c9fbb4633e562952f5113f6a6a8f3c226854eb"
      },
      {
        "id": "",
        "name": "13adde53bd767d17108786bcc1bc0707c2411a40f11d67dfa9ba1a2c62cc5cf3"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:88df4a08c9be7f21",
        "name": "COVERT RAT",
        "slug": "covert-rat"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Argentina"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69b821c38b5e35d90728323e",
    "https://www.pointwild.com/threat-intelligence/covert-rat-phishing-campaign/"
  ]
}