惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Check Point Blog
S
Schneier on Security
P
Privacy & Cybersecurity Law Blog
S
Security @ Cisco Blogs
W
WeLiveSecurity
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Microsoft Azure Blog
Microsoft Azure Blog
NISL@THU
NISL@THU
T
Troy Hunt's Blog
L
LangChain Blog
L
LINUX DO - 最新话题
T
The Exploit Database - CXSecurity.com
Engineering at Meta
Engineering at Meta
N
News and Events Feed by Topic
A
About on SuperTechFans
N
Netflix TechBlog - Medium
P
Proofpoint News Feed
MyScale Blog
MyScale Blog
Martin Fowler
Martin Fowler
Y
Y Combinator Blog
H
Heimdal Security Blog
aimingoo的专栏
aimingoo的专栏
T
Threat Research - Cisco Blogs
SecWiki News
SecWiki News
Microsoft Security Blog
Microsoft Security Blog
T
Tenable Blog
P
Proofpoint News Feed
H
Hacker News: Front Page
G
GRAHAM CLULEY
I
Intezer
V
V2EX
S
Secure Thoughts
Stack Overflow Blog
Stack Overflow Blog
H
Help Net Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
人人都是产品经理
人人都是产品经理
博客园 - 聂微东
Latest news
Latest news
Recent Announcements
Recent Announcements
Hugging Face - Blog
Hugging Face - Blog
腾讯CDC
博客园_首页
Webroot Blog
Webroot Blog
博客园 - 三生石上(FineUI控件)
AI
AI
N
News | PayPal Newsroom
Google DeepMind News
Google DeepMind News
Security Archives - TechRepublic
Security Archives - TechRepublic
B
Blog RSS Feed
美团技术团队

WeLiveSecurity

Supply chain dependencies: Have you checked your blind spot? Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’ As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe A cunning predator: How Silver Fox preys on Japanese firms this tax season Virtual machines, virtually everywhere – but not all protected Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think Faking it on the phone: How to tell if a voice call is AI or not PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? Credential stuffing: What it is and how to protect yourself This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Black Hat Europe 2025: Reputation is currency – even in the ransomware economy Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) Ground zero: 5 things to do after discovering a cyberattack This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Beware of threats lurking in booby-trapped PDF files Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE Cybersecurity Awareness Month 2025: Knowledge is power This month in security with Tony Anscombe – September 2025 edition Roblox executors: It’s all fun and games until someone gets hacked DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception Gamaredon X Turla collab Small business, big risk: How SMBs can fight back against ransomware HybridPetya: A Petya/NotPetya copycat comes with a twist Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass Are cybercriminals hacking your systems – or just logging in? Preventing business disruption and building cyber-resilience with MDR Under lock and key: Safeguarding business data with encryption GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes This month in security with Tony Anscombe – August 2025 edition Don’t let “back to school” become “back to bullying”
Watch out for SVG files booby-trapped with malware
2025-09-22 · via WeLiveSecurity

Malware

What you see is not always what you get as cybercriminals increasingly weaponize SVG files as delivery vectors for stealthy malware

22 Sep 2025  •  , 4 min. read

Watch out for SVG files booby-trapped with malware

A recent malware campaign making the rounds in Latin America offers a stark example of how cybercriminals are evolving and finetuning their playbooks.

But first, here’s what’s not so new: The attacks rely on social engineering, with victims receiving emails that are dressed up to look as though they come from trusted institutions. The messages have an aura of urgency, warning their recipients about lawsuits or serving them court summons. This, of course, is a tried-and-tested tactic that aims to scare recipients into clicking on links or opening attachments without thinking twice.

The end goal of the multi-stage campaign is to install AsyncRAT, a remote access trojan (RAT) that, as also described by ESET researchers, lets attackers remotely monitor and control compromised devices. First spotted in 2019 and available in multiple variants, this RAT can log keystrokes, capture screenshots, hijack cameras and microphones, and steal login credentials stored in web browsers.

So far, so familiar. However, one thing that sets this campaign apart from most similar campaigns is the use of oversized SVG (Scalable Vector Graphics) files that contain “the full package”. This obviates the need for external connections to a remote C&C server as a way of sending commands to compromised devices or downloading additional malicious payloads. Attackers also appear to rely at least partly on artificial intelligence (AI) tools to help them generate customized files for every target.

SVGs as the delivery vector

Attacks involving booby-trapped images in general, such as JPG or PNG files, are nothing new, nor is this the first time SVG files specifically have been weaponized to deliver RATs and other malware. The technique, which is called “SVG smuggling”, was recently added to the MITRE ATT&CK database after being spotted in an increasing number of attacks.

But what makes SVG so appealing to attackers? SVGs are versatile, lightweight vector image files that are written in eXtensible Markup Language (XML) and are handy for storing text, shapes, and scalable graphics, hence their use in web and graphic design. The ability of SVG lures to carry scripts, embedded links and interactive elements makes them ripe for abuse, all while increasing the odds of evading detection by some traditional security tools.

This particular campaign, which primarily targeted Colombia, begins with a seemingly legitimate email message that includes an SVG attachment. Clicking on the file, which is typically more than 10 MB in size, doesn’t open a simple graphic, chart or illustration – instead, your web browser (where SVG files load by default) renders a portal impersonating Colombia’s judicial system. You even go on to witness a “workflow”, complete with fake verification pages and a progress bar.

XML.Dropper-colombia-malware6
Figure 1. The prompt to download a supposedly important court document

One such SVG file (SHA1: 0AA1D24F40EEC02B26A12FBE2250CAB1C9F7B958) is detected by ESET products as JS/TrojanDropper.Agent.PSJ. Upon clicking, it plays out a process, and moments later, your web browser downloads a password-protected ZIP archive (Figure 2)..

XML.Dropper-colombia-malware5
Figure 2. “Preparing” and “verifying” documents

The password to open the ZIP archive is conveniently displayed right below the “Download completed” message (Figure 3), perhaps to reinforce the illusion of authenticity. It contains an executable that, once run, moves the attack a step further in order to ultimately compromise the device with AsyncRAT.

XML.Dropper-colombia-malware4
Figure 3. Download completed

The campaign leverages a technique known as DLL sideloading, where a legitimate application is instructed to load a malicious payload, thus allowing the latter to blend in with normal system behavior, all in the hopes of evading detection.

Our detection telemetry (Figure 4) shows that these campaigns spiked mid-week throughout August, with Colombia hit the hardest. This pattern suggests that attackers are running this operation in a systematic manner.

XML.Dropper-colombia-malware3
Figure 4. Detection trend

Behind the dropper

Typical phishing and malware campaigns blast out the same attachment to countless inboxes. Here, each victim receives a different file. While they all borrow from the same playbook, every file is stuffed with randomized data, making every sample unique. This randomness, which probably involves using a kit that generates the files on demand, is also designed to complicate things for security products and defenders.

XML.Dropper-colombia-malware2
Figure 5. Sample XML file used in the campaign

As mentioned, the payload isn’t fetched from outside – instead, it’s embedded inside the XML itself and assembled “on the fly”. A look at the XML also reveals oddities, such as boilerplate text, blank fields, repetitive class names, and even some “verification hashes” that turn out to be invalid MD5 strings, suggesting that these could be LLM-generated outputs.

XML.Dropper-colombia-malware1
Figure 6. Template with elements typical of LLM-generated outputs
XML.Dropper-colombia-malware7
Figure 7. Another template with elements typical of LLM-generated outputs

Lessons learned

By packing it all into self-contained, innocuously-looking SVG files and possibly leveraging AI-generated templates, attackers seek to scale up their operations and raise the bar for deception.

The lesson here is straightforward: vigilance is key. Avoid clicking on unsolicited links and attachments, especially when the messages use urgent language. Also, treat SVG files with utmost suspicion; indeed, no actual government agency will send you an SVG file as an email attachment. Recognizing these basic warning signs could mean the difference between sidestepping the trap and handing attackers the keys to your device.

Of course, combine this vigilance with basic cybersecurity practices, such as using strong and unique passwords along with two-factor authentication (2FA) wherever available. Security software on all your devices is also a non-negotiable line of defense against all manner of cyberthreats.