×
Uncategorized

Hackers Using SVG Files to Deliver Malicious Payloads

A recent malware campaign making the rounds in Latin America offers a stark example of how cybercriminals are evolving and finetuning their playbooks.

Victims receive emails dressed up to look as though they come from trusted institutions, warning of lawsuits or court summons.

This tried-and-tested social-engineering tactic exploits urgency to trick recipients into clicking links or opening attachments without thinking twice.

Once the door is opened, however, attackers unveil a novel twist: oversized SVG (Scalable Vector Graphics) files carrying the entire malicious payload, including a remote-access trojan (RAT), without requiring any external connections.

Traditionally, phishing campaigns deliver droppers that fetch payloads from a remote command-and-control (C&C) server.

Here, attackers bypass that step entirely by embedding AsyncRAT—first spotted in 2019 and now available in multiple variants—directly inside the SVG’s XML code.

AsyncRAT can log keystrokes, capture screenshots, hijack cameras and microphones, and steal browser-stored credentials. By packing the full package into a single file, criminals sidestep network-based detections and complicate defender workflows.

SVG files are an attractive weaponization target due to their versatility and inherent trust. Written in XML, they natively support scripts, embedded links and even interactive elements.

Security tools often treat SVGs as benign graphic assets, further lowering defenders’ guard. This technique, known as “SVG smuggling,” was recently added to the MITRE ATT&CK framework under obfuscation technique T1027.017 after an uptick in global campaigns targeting financial institutions and government agencies.

How the Campaign Unfolds

This Latin American campaign primarily targeted Colombia with highly localized decoys. Victims receive an email purporting to be from the judicial system, complete with court seals and legal jargon.

An SVG attachment—typically over 10 MB—does not render a static image but instead loads in the web browser as an interactive portal. Users see fake verification pages and progress bars that mimic official workflows.

The prompt to download a supposedly important court document.
The prompt to download a supposedly important court document.

One sample SVG (SHA1: 0AA1D24F40EEC02B26A12FBE2250CAB1C9F7B958) is detected by ESET as JS/TrojanDropper.Agent.PSJ.

When the embedded script executes, it triggers the download of a password-protected ZIP archive. The password is displayed immediately below the “Download completed” message, reinforcing the illusion of legitimacy.

Inside the archive lies an executable that leverages DLL sideloading—a technique where a legitimate application is coerced into loading a malicious library—to install AsyncRAT and establish persistent access.

Detection telemetry shows that infections spiked mid-week throughout August, with Colombia bearing the brunt of the activity.

Detection trend.
Detection trend.

Each victim receives a unique SVG containing randomized XML boilerplate, invalid “verification hashes” and repetitive class names—signs that artificial-intelligence tools may have generated the templates on the fly.

Sample XML file used in the campaign.
Sample XML file used in the campaign.

This randomness, which probably involves using a kit that generates the files on demand, is also designed to complicate things for security products and defenders.

Lessons Learned and Best Practices

This campaign underscores the importance of vigilance in the face of evolving phishing tactics.

The unexpected use of SVG files as self-contained droppers raises the bar for deception and demands that defenders treat all attachments with suspicion—especially when messages employ urgent language or claim to originate from government bodies. No legitimate agency would distribute court documents as an SVG file.

To reduce risk:

  • Verify the sender’s email address and domain before opening attachments.
  • Hover over links to confirm they point to legitimate websites.
  • Maintain updated endpoint protection capable of inspecting XML-based assets.
  • Employ strong, unique passwords and enable two-factor authentication (2FA).
  • Keep operating systems and applications patched to mitigate DLL sideloading vulnerabilities.

As attackers continue to weaponize everyday file formats, a combination of user awareness, rigorous email hygiene and robust security controls remains the best defense against stealthy, self-contained malware campaigns.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

Related Posts

Post Comment

You May Have Missed

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by