A new scheme for distributing malicious code disguised as .svg images has been discovered on dozens of foreign adult content sites. As Malwarebytes experts discovered , attackers embed obfuscated JavaScript code in such files, which, when clicked, launch a hidden chain of scripts that ends with the download of Trojan.JS.Likejack.
This malware silently clicks the “Like” button on a predefined Facebook post if the victim has an active Facebook account at the time. This way, pages with explicit content gain greater visibility and visibility thanks to compromised browsers.
SVG (Scalable Vector Graphics) differs from the usual .jpg and .png formats in that it stores data as XML text. This allows the image to be resized without losing quality, but also allows HTML and JavaScript to be embedded within it. This feature has long attracted attackers, as it opens the way for XSS, HTML injection, and DoS attacks. In this case, the authors of the malicious files used a modified JSFuck technique, which encodes JavaScript into a character set, making it difficult to analyze.
After the initial decoding, the script loads new code fragments, which are also hidden from analysis. The final stage of the attack is forced interaction with Facebook elements, which violates the platform’s rules. Facebook blocks such accounts, but the authors of the scheme quickly return with new profiles.
Similar techniques have been observed before. In 2023, hackers used the .svg tag to exploit an XSS vulnerability in the Roundcube web client, and in June 2025, researchers recorded phishing attacks with a fake Microsoft login window, also opened by an SVG file.
Malwarebytes now links the identified cases to dozens of WordPress sites that distribute malicious content in a similar manner.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
