Listen to this Post

Cybersecurity researchers at VirusTotal have uncovered a sophisticated phishing campaign exploiting SVG files with hidden JavaScript, targeting users in Colombia. These files impersonate the Fiscalía General de la Nación login pages, tricking victims while simultaneously delivering malware. This campaign underscores a growing trend: outdated file formats like SWF and deceptively simple formats like SVG are still highly effective tools for cybercriminals. Traditional antivirus solutions often fail to detect these threats, highlighting the need for deeper, behavior-based analysis tools like Code Insight.
the Report
VirusTotal’s latest research shows that even legacy formats, such as SWF (Shockwave Flash), continue to be abused in cyberattacks. In a 30-day window, VirusTotal observed 47,812 unique SWF files, of which 466 were flagged as malicious. These files require unpacking, parsing, and script extraction for proper analysis. Similarly, SVG (Scalable Vector Graphics) files remain a favorite among attackers due to their XML-based structure, which allows for embedded scripts and obfuscation. VirusTotal detected 140,803 unique SVGs in the same period, 1,442 (\~1%) of which were flagged as malicious by at least one antivirus engine.
A recent example highlights the dangers of relying solely on traditional antivirus engines. One SVG file appeared completely clean on VirusTotal, registering zero detections. However, a deeper inspection using Code Insight revealed hidden JavaScript designed to create a fake Colombian judicial portal. While presenting a seemingly innocuous “file download” progress bar, the script secretly decoded and delivered a malicious ZIP file, effectively combining phishing and malware deployment in a single file.
Following the addition of SVG support in Code Insight, VirusTotal quickly identified a broader campaign: 44 malicious SVG files went completely undetected by antivirus software but were flagged by Code Insight. The attackers employed obfuscation, polymorphism, and dummy code, leaving behind Spanish comments like “POLIFORMISMO_MASIVO_SEGURO.” By using a YARA rule, researchers traced over 523 similar malicious files dating back to August 2025. While initial payloads were large and cumbersome, newer iterations have become lighter and are primarily distributed via email.
The report concludes that while SWF and SVG files originate from different technological eras, both remain capable of evading detection and challenging cybersecurity analysts. Code Insight proved essential for uncovering hidden behavior, highlighting the limitations of conventional antivirus tools.
What Undercode Say:
The use of SVG files in phishing and malware campaigns reflects a broader trend in cybersecurity: attackers are increasingly leveraging file formats that are assumed to be “safe” or outdated. Unlike executable files, SVGs are often overlooked by security teams because they are perceived as simple graphics. Yet, as VirusTotal’s research demonstrates, SVGs can carry hidden scripts, enabling attackers to perform complex actions like phishing, malware delivery, and credential theft simultaneously.
This campaign also highlights the shortcomings of traditional antivirus solutions. Signature-based detection is effective against known threats, but sophisticated obfuscation, polymorphism, and dummy code allow malicious files to bypass these defenses. The inclusion of Spanish-language comments in code shows that attackers sometimes leave subtle human-readable clues for future campaign refinement, perhaps as internal documentation or a marker for automated scripts.
From an operational perspective, the evolution from bulky, email-delivered SWF payloads to lightweight, easily distributed SVG malware demonstrates the efficiency of modern attack vectors. Analysts must therefore combine static and dynamic analysis tools to identify threats that evade standard defenses. The rapid identification of over 500 files with a simple YARA rule reinforces the importance of proactive threat hunting and heuristic-based detection strategies.
The implications for organizations and users are significant. Even files that appear benign, like SVGs, can serve dual roles as both phishing lures and malware carriers. Cybersecurity teams must adopt layered defense strategies, including real-time behavioral analysis, code-inspection tools, and user awareness training. Without such measures, attackers exploiting seemingly innocuous file formats can compromise networks, steal credentials, and deploy malware undetected.
Ultimately, this research should serve as a wake-up call. Threat actors are continuously adapting, using creativity and overlooked file formats to bypass protections. Reliance on legacy antivirus alone is insufficient; the future of cybersecurity depends on combining advanced tools, human analysis, and predictive detection strategies.
🔍 Fact Checker Results:
✅ VirusTotal confirmed SVG and SWF files are still widely abused in attacks.
✅ Code Insight successfully detected malicious SVGs undetectable by standard antivirus engines.
❌ Traditional antivirus alone is insufficient to detect all obfuscated SVG threats.
📊 Prediction
Malware campaigns leveraging SVG files will likely increase, particularly in regions where phishing is prevalent, such as Latin America. As attackers continue to refine obfuscation techniques and embed dual-purpose scripts, traditional signature-based antivirus solutions will lag further behind. Organizations that invest in behavior-based detection, dynamic file analysis, and threat intelligence platforms will be better positioned to intercept such threats. Over the next 12–18 months, we can expect more dual-purpose files combining phishing and malware functions, with attackers exploiting increasingly overlooked file formats beyond SVG and SWF.
If you want, I can also make a more engaging, clickbait-style version of this article optimized for social media sharing while keeping it factual and analytical. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.discord.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




