- Hackers use malicious SVG files to mimic Colombia’s judicial system
- Victims download fake ZIPs that install malware via a renamed browser and DLL
- Over 500 files found; likely spread through phishing, mostly targeting Colombians
Hackers are sharing malicious SVG files which spoof real-life websites in order to trick victims into downloading damaging items.
Cybersecurity researchers VirusTotal spotted the malware after adding support for SVG to their AI-powered Code Insight platform.
Scalable Vector Graphics (SVG) files are used to display images that stay sharp at any size. Since they’re based on XML, they can contain not just shapes but also scripts and embedded code, and attackers can exploit this by hiding malicious JavaScript or links inside an SVG. The file can then trigger drive-by downloads, phishing redirects, or script execution when opened in a browser.
500+ SVG files
In this campaign, SVG files opened with a browser rendered a credible-looking website of Colombia’s judicial system, also displaying a fake download progress bar. Once the “download” is completed, the users are prompted to save a password-protected ZIP archive to their computers.
The SVG files are most likely shared through phishing messages, spoofing a court order email or something similar.
“The fake portal is rendered exactly as described, simulating an official government document download process,” VirusTotal said in its report. “The phishing site includes case numbers, security tokens, and visual cues to build trust, all of it crafted within an SVG file.”
The downloaded ZIP archive reprotedly contained a legitimate executable from the Comodo Dragon web browser, renamed to seem as an official judicial document, a malicious DLL, and two encrypted files. If the victim runs the browser, it triggers the DLL, installing additional malware onto the system.
VirusTotal said that it now identified more than 500 SVG files that were part of the same campaign, but have flown under the radar of antivirus solutions and other endpoint protection platforms.
We don’t know a lot about the victims, other than they are most likely Colombian.
This isn’t the first time SVG files have been used to carry out phishing attacks – back in February 2025, experts warned of a rising number of incidents with .SVG files in attachments.
Via BleepingComputer
