Full Report
VirusTotal has discovered a phishing campaign hidden in SVG files that create convincing portals impersonating Colombia's judicial system that deliver malware. [...]
Analysis Summary
# Tool/Technique: SVG Phishing Campaign utilizing HTML/JavaScript Execution
## Overview
A malware phishing campaign discovered by VirusTotal that leverages Scalable Vector Graphics (SVG) files to host deceptive content, impersonating the judicial system of Colombia, ultimately leading to the download and sideloading of malware. The campaign evaded traditional signature-based antivirus scans.
## Technical Details
- Type: Attack Technique/Payload Delivery Mechanism
- Platform: Windows (inferred from DLL sideloading mechanism)
- Capabilities: Displaying HTML content within an SVG, executing JavaScript, rendering fake portals/progress bars, distributing password-protected archives containing malware payloads.
- First Seen: Early September 2025 (based on article date)
## MITRE ATT&CK Mapping
This campaign primarily focuses on initial access and execution stages:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Delivered via deceptive document/file)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - Malicious File
- T1574 - Hijack Execution Flow
- T1574.003 - DLL Search Order Hijacking (via DLL Sideloading)
## Functionality
### Core Capabilities
- **Deceptive Rendering:** Exploits the capability of SVG files to render HTML content using the `<foreignObject>` element and execute JavaScript upon loading.
- **Social Engineering:** Creates convincing fake portals impersonating the Colombian judicial system, complete with case numbers and security tokens to build user trust.
- **Payload Delivery:** Triggers the download of a password-protected ZIP archive containing the malware components.
### Advanced Features
- **Evasion:** The initial SVG file successfully evaded traditional antivirus scanning detection.
- **DLL Sideloading:** The delivered archive contains a legitimate, renamed executable (associated with Comodo Dragon web browser) which is intended to sideload a malicious DLL upon execution, facilitating further malware installation.
## Indicators of Compromise
- File Hashes:
- Initial Malicious SVG (Example): `4521d694774940dfc545619fb48012ef46238156113f08314dbe33f81dfdb0ff`
- Malicious DLL (Example): `82b19747645326479e2068fe08d850e1696e021f39fdf1a71874fe91b71fbee5`
- File Names: N/A (Relies on the content of the SVG/archive)
- Registry Keys: Not specified in the context.
- Network Indicators: C2 or specific network activity not detailed in the summary, beyond the delivery method.
- Behavioral Indicators:
- Execution of JavaScript within an SVG context.
- Prompting user to download an archive (often password-protected).
- Sideloading of a malicious DLL by a legitimate application binary.
## Associated Threat Actors
- Not explicitly named, but associated with campaigns targeting entities related to the Colombian judicial system.
## Detection Methods
- **Signature-based detection:** Largely ineffective against the initial SVG file format used in this campaign.
- **Behavioral detection:** Crucial for spotting the unusual JavaScript execution within an image file context (SVG).
- **YARA rules:** Not explicitly mentioned, but could be developed to detect the specific structure or strings related to the fake government portal within SVG files.
- **AI/ML Analysis:** VirusTotal's AI Code Insight was instrumental in detecting the malicious JavaScript embedding within the SVG structure.
## Mitigation Strategies
- **User Training:** Educate users about suspicious file types, especially those that promise immediate downloads via seemingly inert files like images (SVG).
- **File Filtering:** Implement strict controls on executable file types and downloaded archives from untrusted sources.
- **Application Control:** Employ measures to prevent the sideloading of unauthorized DLLs by legitimate executables.
- **Endpoint Detection and Response (EDR):** Configure monitoring for anomalous process injection or dynamic library loading events.
## Related Tools/Techniques
- Use of legitimate files (Comodo browser executable) to execute malicious code (**Living Off The Land Binaries or Scripts (LOLBAS)** usage/masquerading).
- Polymorphic or fileless malware delivery techniques (hiding code execution within non-standard file types).