- Pirates use malicious SVG files to imitate Colombia’s justice system
- Victims download false zips that install malware via a renowned browser and DLL
- Over 500 files found; Probably distributed by phishing, mainly targeting Colombians
Pirates share malicious SVG files that make up real websites to encourage victims to download harmful items.
Virustotal cybersecurity researchers identified malware after adding SVG management to their code insistence platform fed in AI.
SVG Graphics (SVG) files are used to display images that remain sharp at any size. Since they are based on XML, they can contain not only forms but also scripts and integrated code, and attackers can exploit this by hiding malicious javascript or links inside an SVG. The file can then trigger reader downloads, phishing redirects or script execution when opening in a browser.
500+ SVG files
In this campaign, the SVG files have opened with a browser made a credible website of the Colombia’s judicial system, also displaying a false download progress bar. Once the “download” is completed, users are invited to record a zip archive protected by password to their computers.
SVG files are most likely shared via phishing messages, usurping a court order email or something similar.
“The false portal is made exactly as described, simulating an official process for downloading government documents,” said Virustotal in its report. “The phishing site includes cases, safety tokens and visual clues to strengthen confidence, all made in a SVG file.”
The downloaded zip archive again contained a legitimate executable of the Comodo Dragon web browser, renowned to look like an official judicial document, a malicious DLL and two encrypted files. If the victim performs the browser, he triggers the DLL, by installing additional malware on the system.
Virustotal said that it now identified more than 500 SVG files that were part of the same campaign, but stole antivirus solutions and other final points protection platforms under the radar.
We do not know much about the victims, except that they are probably Colombians.
This is not the first time that SVG files have been used to carry out phishing attacks – in February 2025, experts have warned of an increasing number of incidents with .SVG files in attachments.
Via Bleeping Compompute
