Hackers are sneaking malware into SVG images to bypass antivirus - here's what we know

News
By published

More than 500 malicious SVG files were discovered hiding malware

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)
  • Hackers use malicious SVG files to mimic Colombia’s judicial system
  • Victims download fake ZIPs that install malware via a renamed browser and DLL
  • Over 500 files found; likely spread through phishing, mostly targeting Colombians

Hackers are sharing malicious SVG files which spoof real-life websites in order to trick victims into downloading damaging items.

Cybersecurity researchers VirusTotal spotted the malware after adding support for SVG to their AI-powered Code Insight platform.

Scalable Vector Graphics (SVG) files are used to display images that stay sharp at any size. Since they’re based on XML, they can contain not just shapes but also scripts and embedded code, and attackers can exploit this by hiding malicious JavaScript or links inside an SVG. The file can then trigger drive-by downloads, phishing redirects, or script execution when opened in a browser.

500+ SVG files

In this campaign, SVG files opened with a browser rendered a credible-looking website of Colombia's judicial system, also displaying a fake download progress bar. Once the “download” is completed, the users are prompted to save a password-protected ZIP archive to their computers.

The SVG files are most likely shared through phishing messages, spoofing a court order email or something similar.

"The fake portal is rendered exactly as described, simulating an official government document download process," VirusTotal said in its report. "The phishing site includes case numbers, security tokens, and visual cues to build trust, all of it crafted within an SVG file."

The downloaded ZIP archive reprotedly contained a legitimate executable from the Comodo Dragon web browser, renamed to seem as an official judicial document, a malicious DLL, and two encrypted files. If the victim runs the browser, it triggers the DLL, installing additional malware onto the system.

VirusTotal said that it now identified more than 500 SVG files that were part of the same campaign, but have flown under the radar of antivirus solutions and other endpoint protection platforms.

We don’t know a lot about the victims, other than they are most likely Colombian.

This isn't the first time SVG files have been used to carry out phishing attacks - back in February 2025, experts warned of a rising number of incidents with .SVG files in attachments.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.