A complicated malware marketing campaign concentrating on Colombian establishments by means of an sudden vector: weaponized SWF and SVG recordsdata that efficiently evade conventional antivirus detection.
The discovery emerged by means of VirusTotal’s newly enhanced Code Perception platform, which added assist for analyzing these vector-based file codecs simply as attackers started exploiting them to impersonate the Colombian justice system.
Regardless of Adobe formally discontinuing Flash in 2020 and browsers ending assist shortly after, SWF recordsdata proceed to floor in malware campaigns.
VirusTotal processed 47,812 distinctive SWF recordsdata up to now month alone, with 466 flagged as malicious by at the very least one antivirus engine.
This persistence demonstrates how cybercriminals leverage forgotten applied sciences to their benefit, banking on decreased safety focus for deprecated codecs.
The technical complexity of analyzing SWF recordsdata presents important challenges for safety researchers. These binary, compiled recordsdata require refined unpacking processes to extract significant intelligence.
Safety platforms should decompress containers utilizing zlib or LZMA compression, parse inner tag buildings, and extract embedded ActionScript code earlier than evaluation can start.
SVG: The Trendy Assault Vector
Whereas SWF represents assaults utilizing out of date know-how, SVG recordsdata current a extra modern menace.
As an lively net customary, SVG recordsdata seem reputable and infrequently set off safety suspicions. VirusTotal acquired 140,803 distinctive SVG recordsdata final month, with 1,442 exhibiting malicious habits—sustaining the identical approximate 1% detection charge as SWF recordsdata.
The XML-based nature of SVG recordsdata makes them significantly engaging to attackers. Malicious code could be embedded by means of JavaScript in script tags, occasion handlers, or obfuscated inside CDATA sections and base64 payloads.
As a result of SVG content material seems as plain textual content, distinguishing malicious logic from reputable graphics code requires refined evaluation capabilities.
Essentially the most alarming discovery includes a coordinated phishing marketing campaign particularly concentrating on Colombian residents by means of pretend authorities portals.
The malicious SVG executes a multi-stage assault upon rendering. First, it decodes and injects a base64-encoded HTML phishing web page that convincingly replicates the federal government portal.
Whereas victims work together with the pretend interface, believing they’re downloading reputable authorized paperwork, the malware concurrently decodes a second payload—a malicious ZIP archive that downloads routinely within the background.
VirusTotal Intelligence, we will search by means of our large pattern assortment utilizing a whole lot of parameters, together with queries that look inside Code Perception studies.
Investigation revealed this wasn’t an remoted incident. Utilizing superior search capabilities, researchers found 44 further distinctive SVG recordsdata, all undetected by conventional antivirus options however recognized by means of behavioral evaluation.
The marketing campaign confirmed clear indicators of sophistication, together with code obfuscation, polymorphic variations, and substantial quantities of dummy code designed to extend file entropy and evade static detection strategies.
Technical Evasion Ways
The attackers demonstrated superior understanding of safety detection mechanisms. Every malicious file contained barely totally different code buildings whereas sustaining core performance—a method referred to as polymorphism that stops signature-based detection.
Sorting by submission time, the primary pattern dates again to August 14, 2025, additionally submitted from Colombia, and in addition with 0 antivirus detections on the time.
Safety researchers recognized an undetected SVG file that completely mimicked the Colombian Fiscalía Normal de la Nación (Legal professional Normal’s Workplace), full with authentic-looking case numbers, safety tokens, and official branding.
Spanish-language feedback found within the supply code, together with phrases like “POLIFORMISMO_MASIVO_SEGURO” (large safe polymorphism), supplied insights into the attackers’ methodology and ultimately grew to become detection signatures.
Regardless of these refined evasion methods, the malware authors made crucial operational safety errors.
Constant remark patterns throughout all samples enabled researchers to develop detection guidelines that recognized 523 associated recordsdata spanning almost a 12 months of exercise.
The earliest samples, courting to August 2025, have been considerably bigger at roughly 25MB, suggesting ongoing payload refinement and optimization.
Evaluation of supply mechanisms revealed electronic mail as the first distribution vector for the malicious SVG recordsdata.
This strategy permits attackers to leverage social engineering alongside technical exploitation, growing success charges by concentrating on recipients with official-looking authorities correspondence.
The mix of electronic mail supply and authorities impersonation creates a extremely efficient assault vector, significantly in areas the place digital literacy could also be restricted.
The marketing campaign’s deal with Colombian establishments suggests both focused intelligence gathering or monetary fraud operations.
Authorities impersonation assaults typically purpose to reap delicate private info, banking credentials, or id paperwork that may be monetized by means of varied legal enterprises.
Mitigations
Conventional antivirus options wrestle with these assaults as a result of they rely closely on signature-based detection and behavioral evaluation of executable recordsdata.
SVG recordsdata, being text-based graphics codecs, typically obtain minimal scrutiny from safety instruments. Even when suspicious, the reputable makes use of of JavaScript inside SVG recordsdata make distinguishing malicious habits extraordinarily difficult with out refined evaluation capabilities.
The success of this marketing campaign highlights crucial gaps in present cybersecurity defenses. Organizations should develop their safety postures past conventional executable malware to incorporate doc codecs, graphics recordsdata, and different seemingly benign content material sorts that may carry malicious payloads.
This discovery represents a broader pattern towards format diversification in malware distribution.
As safety instruments change into simpler towards conventional assault vectors, cybercriminals constantly adapt by exploiting less-monitored file sorts and leveraging social engineering to bypass technical controls.
The Colombian marketing campaign demonstrates how attackers can obtain exceptional success with comparatively easy methods after they determine underprotected assault surfaces.
The zero detection charges throughout a number of antivirus engines for weeks or months point out that present safety infrastructures require substantial enhancements in analyzing non-executable file codecs.
Safety professionals should acknowledge that efficient cybersecurity requires complete protection throughout all file sorts and codecs that may execute code or manipulate person methods.
The mix of technical sophistication with social engineering ways creates significantly harmful threats that demand each technological options and person training initiatives.
Discover this Story Fascinating! Observe us on LinkedIn and X to Get Extra Prompt Updates.
