04.09.2025
2 min
700
VirusTotal researchers have discovered a new campaign where attackers are using SVG files to spread malicious pages that mimic the portal of the Colombian Attorney General’s Office. The attack is unique in that the files remain undetected by antiviruses thanks to obfuscation and polymorphism.
The attackers sent emails with embedded SVG files that contained JavaScript code. Once opened, it decrypted Base64–HTML, which downloaded a fake page of an “official document” with a fake progress bar. At the same time, a ZIP archive with unknown content was downloaded in the background. VirusTotal found at least 44 unique SVG files, and a total of more than 523 samples in the wild since August 2025.
The campaign coincided with other attacks where cybercriminals were promoting infostealers for macOS – in particular, Atomic macOS Stealer (AMOS). They disguised themselves as hacked software and used the ClickFix technique, which forced users to run malicious commands via Terminal. Such tools steal crypto wallets, passwords, browser data, VPN profiles, and even notes from Apple Notes.
The incident with SVG files demonstrates that even seemingly safe formats can become weapons in the hands of cybercriminals. The combination of new techniques with classic malware schemes indicates the evolution of phishing, aimed at bypassing antiviruses and human trust. This is a signal for companies to strengthen multi-layered protection, and for users – not to open suspicious attachments, even in “harmless” formats.
