TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

ESET WeLiveSecurity

Watch out for SVG files booby-trapped with malware

2025-09-22 · Read original ↗

ATT&CK techniques detected

9 predictions
T1204.002Malicious File
95%
“password - protected zip archive ( figure 2 ).. the password to open the zip archive is conveniently displayed right below the “ download completed ” message ( figure 3 ), perhaps to reinforce the illusion of authenticity. it contains an executable that, once run, moves the attac…”
T1027.017SVG Smuggling
89%
“, one thing that sets this campaign apart from most similar campaigns is the use of oversized svg ( scalable vector graphics ) files that contain “ the full package ”. this obviates the need for external connections to a remote c & c server as a way of sending commands to comprom…”
T1566.001Spearphishing Attachment
83%
“watch out for svg files booby - trapped with malware a recent malware campaign making the rounds in latin america offers a stark example of how cybercriminals are evolving and finetuning their playbooks. but first, here ’ s what ’ s not so new : the attacks rely on social enginee…”
T1027.017SVG Smuggling
83%
“, hence their use in web and graphic design. the ability of svg lures to carry scripts, embedded links and interactive elements makes them ripe for abuse, all while increasing the odds of evading detection by some traditional security tools. this particular campaign, which primar…”
T1027.017SVG Smuggling
80%
“kit that generates the files on demand, is also designed to complicate things for security products and defenders. as mentioned, the payload isn ’ t fetched from outside – instead, it ’ s embedded inside the xml itself and assembled “ on the fly ”. a look at the xml also reveals …”
T1566.001Spearphishing Attachment
36%
“, hence their use in web and graphic design. the ability of svg lures to carry scripts, embedded links and interactive elements makes them ripe for abuse, all while increasing the odds of evading detection by some traditional security tools. this particular campaign, which primar…”
T1566.001Spearphishing Attachment
35%
“kit that generates the files on demand, is also designed to complicate things for security products and defenders. as mentioned, the payload isn ’ t fetched from outside – instead, it ’ s embedded inside the xml itself and assembled “ on the fly ”. a look at the xml also reveals …”
T1574.001DLL
34%
“password - protected zip archive ( figure 2 ).. the password to open the zip archive is conveniently displayed right below the “ download completed ” message ( figure 3 ), perhaps to reinforce the illusion of authenticity. it contains an executable that, once run, moves the attac…”
T1566.001Spearphishing Attachment
32%
“, one thing that sets this campaign apart from most similar campaigns is the use of oversized svg ( scalable vector graphics ) files that contain “ the full package ”. this obviates the need for external connections to a remote c & c server as a way of sending commands to comprom…”

Summary

What you see is not always what you get as cybercriminals increasingly weaponize SVG files as delivery vectors for stealthy malware