Sophisticated Malware Campaign Hides in SVG Files to Evade Detection
Security researchers have uncovered a sophisticated malware campaign that hid malicious JavaScript within SVG files to evade traditional antivirus detection. The campaign, discovered by VirusTotal, impersonated Colombian authorities and aimed to spread malwarebytes and phish victims. Attackers employed various tactics to bypass security measures. They used obfuscation, polymorphism, and dummy code in their SVG files, making them difficult to detect. However, they left identifiable comments, which helped researchers uncover their activities. The campaign involved deploying fake login pages to trick users into entering sensitive information. One SVG file managed to evade all antivirus engines but was eventually caught by deeper analysis using Code Insight, which added SVG support and led to the discovery of 44 malicious SVGs. In one instance, an undetected SVG served as both a phishing lure and a malwarebytes dropper, delivering a malicious ZIP file. The payloads in the campaign evolved over time, becoming lighter and more email-based. Researchers were able to identify 523 samples dating back to August 2025 using a simple YARA rule. The malwarebytes-based attack campaign using SVG files highlights the importance of continuous vigilance and the need for advanced detection methods. While traditional antivirus engines may not catch all threats, deeper analysis and the use of tools like Code Insight can help uncover sophisticated attacks. The specific person or group behind the campaign remains unidentified.
