VirusTotal has uncovered a phishing campaign that uses SVG image files to deliver malware by impersonating Colombia’s judicial system.
The discovery came after VirusTotal added SVG support to its AI Code Insight feature, which uses machine learning to analyze uploaded files and summarize suspicious behavior.
One of the malicious SVG files initially showed zero detections by antivirus software, but AI Code Insight flagged it for using JavaScript and HTML to display a fake government portal. The portal simulated an official case document download process, showing security tokens and case numbers to appear legitimate.
Victims were tricked into downloading a password-protected ZIP archive that contained:
- A legitimate Comodo Dragon browser executable, renamed to look like a judicial document.
- A malicious DLL used for malware sideloading.
- Two encrypted files.
When the executable is opened, the DLL triggers the installation of additional malware.
VirusTotal later found 523 related SVG files that had previously gone undetected, highlighting how attackers are abusing SVGs, which can embed JavaScript and HTML through the <foreignObject> element.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
VirusTotal says its AI detection was crucial in exposing this campaign:
“It’s not magic, and it won’t replace expert analysis, but it’s one more tool to cut through the noise and get to the point faster.”
