Red Akodon, a new threat actor distributing RAT to Colombia


The purpose of this report is to highlight a new threat actor that SCILabs identified and profiled during April 2024. This actor has been observed impersonating organizations, primarily government entities from Colombia. The information and indicators of compromise were obtained through threat-hunting activities, malware analysis, and intelligence processes in public and private sources.

Due to its behavior and characteristics, SCILabs named it Red Akodon. This threat actor targets users of all types in Colombia, including public and private organizations employees, to steal confidential information such as bank accounts details, e-mail accounts, social media credentials, and access to corporate portals, among others, using remote access trojans (RAT) like RemcosRAT, QasarRat, AsyncRAT, and, XWorm. Red Akodon‘s initial access vector occurs mainly using phishing emails, which are used as a pretext for alleged lawsuits and judicial summonses, apparently coming from Colombian institutions such as the Fiscalía General de la Nación and Juzgado 06 civil del circuito de Bogotá.

According to SCILabs’ research, Red Akodon has operated mainly in Colombia since April 2024, gradually increasing its activity since its first appearance. It has made small but constant changes to its infrastructure (such as its command-and-control servers or its malware download) and has used TTP to evade security solutions and make it difficult for cyber threat researchers to analyze.


Region of operation

After conducting threat hunting and intelligence processes on public and private sources, SCILabs determined with a high confidence level that Red Akodon attacks have primarily affected Colombia.

To date, no campaigns have been identified affecting another region of LATAM or the world; however, SCILabs has the hypothesis, based on experience, that it is highly likely that this threat actor will spread the distribution of its campaigns to other Latin American countries in the future.

The following map shows Red Akodon‘s main operating region (highlighted in red), and its future potential target countries (highlighted in green).


Figure 1. Red Akodon’s operating region


Below is the chronology of the most relevant activity of Red Akodon, according to the campaigns identified by SCILabs during April 2024. It is important to mention that, over time, the infrastructure and artifacts operated by this threat actor have experienced constant changes. Thus, for the following example the most outstanding activity observed so far was considered.


Figure 2. Red Akodon’s most relevant activity


Who is affected?

During the investigation, SCILabs identified that this threat actor’s campaigns primarily target Colombia. Although it did not appear to target any specific sector, it may affect public and private organizations of any industry, for example:

  • Public organizations in industries such as:
    • Government
    • Health
    • Education


  • Private organizations in industries such as:
    • Financial
    • Manufacturing
    • Food
    • Services
    • Transportation


How can this affect an organization?

Red Akodon’s main goal is to steal all types of information (including highly sensitive data from multiple users, as well as logging the activity of their keyboard, screen and mouse). The victims can be employees of any kind of public and private organizations.

Considering the information above and taking into account that the intention of this threat actor campaign intends to infect victims with Trojans which are designed for logging and tracking devices remotely, a successful attack could result in the compromise of sensitive information that could be used maliciously by cybercriminals, leaking it or selling it within clandestine forums on the Dark Web or in the black market, to then use it to carry out more sophisticated and dangerous attacks such as ransomware, which can put at risk the integrity, confidentiality, and availability of the organization’s information, not mentioning that it may cause financial and reputational losses.



Threat context

During April 2024, through monitoring and threat-hunting processes, SCILabs identified several phishing emails aimed mainly at users in Colombia, which used an alleged lawsuit on behalf of the victim as a pretext. Two email variants were identified: the first contains a hyperlink to a DOCX-type file hosted on Drive; the second includes an attached SVG file which is also an alleged Word file, like in the first e-mail, but it is actually an image with a hyperlink inside.


Figure 3. Mail used by Red Akodon with a malicious link

Figure 4. Mail used by Red Akadon with a malicious SVG file


It is important to mention that no email spoofing techniques were identified and that the accounts from which the phishing emails were sent have domains that belong to agencies of the Colombian government ( and legitimate companies of the same country.

SCILabs conducted an investigation and identified several posts on underground forums, where compromised credentials of domains related to the analyzed malware campaigns were found. According to these publications, the credentials were obtained through the infostealers RisePro  and Vidar.

Figure 5. Post in a clandestine forum with credentials for sale of the domain magdalena[.]gov[.]co


Technical overview

First campaign identified

In the first campaign identified by SCILabs, the email contains a link with an alleged .docx file related to a lawsuit. If the user clicks on it, they are redirected to a Google Drive or OneDrive repository where a preview of an Office Word document is displayed in which more details of the alleged lawsuit are shared, and which contains a URL for downloading an additional file protected with a password (shared within the document).


Figure 6. DOCX document formatted as a supposed lawsuit


If the user clicks on the link “DESCARGAR DEMANDA”, the download of a .zip-type compressed file from a GitHub repository begins. During the investigation, multiple active campaigns were identified in different  repositories, such as advertising, filed, judicial, demand, receipt, and files.


Figure 7. GitHub repositories used by Red Akadon (top) and ZIP archives stored in the repositories (bottom)


Additionally, the compressed file contains a folder with the same name, which is a directory that includes the following files:

  • 01 CITACION DEMANDA.exe: VMWare Tools legitimate executable
  • glib-2.0.dll: Biblioteca maliciosa encargada de inyectar AsyncRAT en el proceso MSBuild.exe
  • gmodule-2.0.dll: GLib legitimate library
  • gobject-2.0.dll: Glib legitimate library
  • gthread-2.0.dll: Glib legitimate library
  • dll: Legitimate library for the use of icons
  • dll: Windows legitimate library
  • dll: VMWare legitimate library
  • html: HTML type file. No malicious behavior was identified during the analysis

Figure 8. Content of the downloaded compressed file


In one of the campaigns identified by SCILabs, the zip file also contains a folder with a legitimate executable WinZIP; however, it was not observed to be used at any stage of the infection chain.


Figure 9. Digital signature of the WinZip28.exe file


If the user executes the file 01 CITACION DEMANDA.exe, the infection chain begins by exploiting a DLL-hijacking vulnerability contained in the VMWare executable to inject the AsyncRAT malware into the legitimate MSBuild.exe process. This technique has been observed in the past and documented in public investigations.

During the execution, a connection to melo2024[.]kozow[.]com was detected, and the text string “AsyncRAT Server” could be observed in the request.


Figure 10. Content of the request observed during the analysis


Furthermore, the memory of the created process identified the text string “CRACKED BY hxxps[:]//t[.]me/xworm_v2”. The URL belongs to a Telegram group where multiple RATs are distributed, including AsyncRAT, RemcosRAT, and various versions of XWorm.


Figure 11. Strings observed in the memory of the MSBuild.exe process

Figure 12. RATs distributed by the Telegram group


SCILabs also observed the execution of the taskkill.exe /im cmstp.exe /f command to disable UAC (User Account Control), which grants administrator privileges without user authorization.

Figure 13. Command executed for UAC deactivation


The malware operated by Red Akodon executes a PowerShell script stored in C:\Users\Public to configure Windows Defender exclusions, avoiding certain processes and directories on the system and stopping the process cmstp.exe.


Figure 14. Script used to change Windows Defender settings


Red Akodon performs persistence generation by creating shortcuts in the Windows Start menu directory and a scheduled task that runs the legitimate VMWare file.


Figure 15. Persistence created in the Windows start menu (top) and task scheduled for dropper execution (bottom)


Once the AsyncRAT malware is injected into the MSBuild.exe process, it collects information from the infected computer and downloads additional Trojans. During the analysis of this campaign, the installation of the RemcosRAT and Quasar Trojans was observed.

SCILabs has the hypothesis that Red Akodon installs different Trojans to have multiple mechanisms for information theft.


Figure 16. RemcosRAT and Quasar execution

In the specific case of RemcosRAT, it is installed in the path C:\ProgramData\Remcos\, and creates a registry key to add it to the Windows Start menu.


Figure 17. RemcosRAT installation path

Figure 18. Registry key created for persistence


The following table shows the parameters found when analyzing the RemcosRAT samples installed in this campaign.


Table 1. RemcosRAT parameters


On the other hand, Quasar is stored in %TEMP%; however, no persistence methods were identified for this malware. SCILabs hypothesizes that the execution is triggered from the MSBuild.exe process since there are text strings in the process memory with the path of this executable.


Figure 19. Strings found in the process MSBuild.exe


The following table shows the parameters when analyzing the Quasar samples installed in this campaign.


Table 2. Quasar parameters


In addition to installing the Trojans, there is a download of multiple artifacts which seem to be legitimate files but contain the Neshta malware. This malware aims to modify sections of an executable file and load malicious code. The executable is stored in C:\Windows with the name and creates a registry key that tells the system to run the Neshta artifact every time an EXE-type file is opened. When a program is executed, the original file is sent to the path %TEMP%\3582-490.


Figure 20. Neshta artifacts downloaded during infection

Figure 21. Registration key created by Neshta

Figure 22. Directory where the original executables are stored after their sections were modified


The IObit Unlocker software installation was also observed in path C:\ProgramData\IObitUnlocker. This program offers file management functionalities, such as deleting, renaming, moving, and copying any file, regardless of whether another program uses it. Yet, it is important to mention that some security solutions on VirusTotal classify this software as a PUA (Potentially Unwanted Application).

Figure 23. IObit Unlocker installation path


Second campaign identified

In the second campaign identified by SCILabs, the email contains an SVG file that seems to be an alleged document of a lawsuit from the Fiscalía General de la Nación of Colombia. Like in the first campaign, the image contains a URL: if the user clicks on it, they are redirected to a GitHub repository from where the download of a compressed file begins.


Figure 24. SVG file with the alleged lawsuit


Additionally, the compressed file contains a folder with the same name, which is a directory that includes the following files:

  • 04 CITACION DEMANDA.exe: Neshta executable file
  • dll: Malicious library responsible for injecting AsyncRAT into the MSBuild.exe process
  • dll: ASUS legitimate library
  • dll: ASUS legitimate library
  • eps: Unknown file, no malicious behavior detected during analysis
  • ai : Unknown file, no malicious behavior detected during analysis


Figure 25. Contents of the compressed file


If the user executes the file 04 CITACION DEMANDA.exe, the infection chain described above begins. It is important to mention that during the analysis, no additional downloads of the Neshta malware were identified as in the first campaign analyzed. Hence, SCILabs hypothesizes that this activity is not carried out in this campaign because the dropper is a variant of Neshta and already fulfills that function.


Attack flow summary

  1. The user receives a phishing email from a compromised account belonging to the gov. codomain, using alleged lawsuits and court summons as pretexts.
  2. The email contains an attached SVG file, a OneDrive or a Google Drive hyperlink.
  3. If the user opens the SVG file, they are shown an alleged lawsuit or judicial summons that appears to come from the Fiscalía General de la Nación or from a Colombian court.
  4. If the user clicks on the hyperlinks, they are redirected to a Google Drive or OneDrive repository (as the case may be) containing the supposed lawsuit or judicial summons allegedly coming from the Fiscalía General de la Nación, or any Colombian court.
  5. If the user clicks on “Descargar una copia de la demanda” (Download a copy of the lawsuit) they are redirected to a GitHub repository to obtain a compressed file in ZIP or 7ZIP format.
  6. If the user unzips and executes the contents of the previous file, the malicious activity begins.
  7. Red Akodon injects a variant of AsyncRAT into the legitimate Windows MSBuild process, by exploiting DLL-Hijacking vulnerabilities in legitimate artifacts mainly related to VMWare, or the Neshta malware that pretends to be a legitimate software.
  8. Red Akodon generates persistence using shortcuts in the Windows start menu.
  9. Red Akodon downloads and installs one or more remote access Trojans.
  10. The RAT begins tracking and logging the keyboard, and screen activity, obtaining all kinds of information from the victim.
  11. The stolen information is shared with the attacker’s command and control server.
  12. Finally, the attacker can install remote administration tools and perform other tasks, such as downloading additional artifacts and restarting the computer.


Attack flow diagram

The following attack flow was observed by SCILabs from malware analysis.


Figure 26. Diagram of the attack flow identified by SCILabs


TTP observed aligned to MITRE ATT&CK® Framework

The following TTP matrix based on the MITRE Framework was obtained from malware analysis and intelligence processes in open sources.


Table 3. TTP observed aligned to the MITRE ATT&CK® framework


Diamond model

The following diamond model was obtained from the malware analysis and intelligence processes in open sources.


Figure 27. Diamond model identified by SCILabs



To make the corresponding attribution and determine with a high level of confidence that this is a new threat actor, SCILabs conducted an in-depth investigation looking for overlaps with other known threats, particularly with APT-C-36  and TA558, which are highly active threat groups in Colombia.

Below is a table with the characteristics of the different threats identified by SCILabs and aligned to the diamond model, whose overlaps with APT-C-36 are highlighted in red and with TA558 in green.


Adversary/Diamond Model   TA558 APT-C-36 Red Akodon


Dynamic domains for their command-and-control servers, primarily DuckDNS Yes Yes Yes
Dynamic domains for their command-and-control servers, primarily Kozow No Yes Yes
Legitimate Colombian government domains (accounts compromised or leaked in the black market or Dark Web), mainly No No Yes
File hosting services, mainly Drive No No Yes
File hosting services, mainly OneDrive No No Yes
Services used for malware delivery, mainly GitHub No No Yes
Telegram channel for obtaining/distributing malware No No Yes
Patterns in the domains of their command-and-control servers, mainly, gonzalez2024, melo2024, qpaisa2024, quepasa2024 No No Yes
Capabilities Distribution through phishing e-mails Yes Yes Yes
Use of Remote Access Trojans, among which we find RemcosRAT, QasarRAT, AsyncRAT y XWorm Yes Yes Yes
7ZIP and ZIP compression format Yes Yes Yes
Keyboard, mouse, and screen activity monitoring Yes Yes Yes
Installation of additional software, mainly remote administration software No No Yes
Exploitation of DLL-Hijacking, mainly in legitimate VMWare products No No Yes
Use of Neshta malware No No Yes
Use of scripting for first droppers (JS, VBS) Yes Yes No
Victim So far, only campaigns targeting Colombia have been identified No No Yes

Table 4. Overlaps between APT-C-36, TA558 and Red Akodon


As a result of the investigation, it can be observed that out of 17 characteristics attached to the diamond model, overlaps were found only in 6, of which 3 (ZIP and 7ZIP files, phishing emails, and dynamic domains) are usually used by different threats in the region, including banking Trojans, for instance. SCILabs can determine with a high level of confidence that this is a new threat actor.



SCILabs considers that the danger of Red Akodon lies in multiple factors, among which the following stand out:

  • Constant modification of its infrastructure, making it difficult for researchers to track the malware activity operated by this threat group.
  • Constant creation of malware repositories, which makes the task of obtaining samples, blocking indicators of compromise, etc. complicated.
  • The use of Trojans with public source code, which allows them to easily make modifications to their artifacts.
  • The use of multiple remote access Trojans could increase the effectiveness of one of their attacks by generating multiple infections at the same time.
  • The use of the DLL-Hijacking technique exploits vulnerable applications, making detection difficult for malware analysts and security solutions.
  • The use of Neshta malware to infect EXE files.
  • The use of legitimate hosting services.
  • Implementation of geofences, which ensure that their victim belongs to a specific region.


Having said the above and based on the capabilities set forth in this report, Red Akodon should be considered a potential threat to all companies and organizations, mainly in Colombia, although it is important to mention that as a consequence of the exponential increase in its activity and its rapid creation of a variety of campaigns it is highly likely to affect other countries in the LATAM region in the future.

SCILabs will continue to monitor the activity of this threat actor and provide IOCs accordingly to strengthen the security of our clients. Additionally, we make the following recommendations to avoid being victims or, where appropriate, to reduce the impact of a Red Akodon infection:

  • Block the IoCs mentioned in this document.
  • Conduct awareness campaigns on the techniques used by this threat actor.
  • Have strict policies regarding the use and installation of software on corporate computers, mainly utilities related to VMWare, exploited by Red Akodon.
  • For phishing emails, it is recommended:
    • Avoid opening emails from unknown senders.
    • Avoid opening suspicious links.
    • Avoid opening or downloading suspicious files.
  • Keep the operating systems and software of all devices on your network up to date.
  • Carry out correct implementation of policies for the creation and use of passwords.
  • Avoid storing passwords in browsers.
  • vestigate leaks of information, credentials and data related to your organization through intelligence services.
  • Have a correct implementation of In-Depth Security in all the organization’s systems.
  • If they are not essential for the organization’s operation, block free DNS services such as duckdns[.]org and kozow[.]com.
  • Perform threat hunting tasks looking for suspicious shortcuts, primarily in the Windows Start Menu directory.
  • Pay attention to alterations on your devices, for example, a double cursor, pop-up screens, among others.


Indicators of compromise

Below, with a HIGH level of confidence, are the indicators of compromise (IoCs) obtained from the analysis carried out by SCILabs.





Malware download URL

It is recommended to block the entire URL to avoid future false positives or operation failures. hxxps[:]//drive[.]google[.]com/file/d/1ygbbzsxnkoq4j5hqmndmzgjlgsqrrqh6/view?usp=drive_web