Weaponized SVGs Target Colombia with Phishing

VirusTotal Code Insight added support for SWF and SVG and immediately uncovered an undetected malware campaign using SVG files that impersonated the Colombian justice system by executing embedded JavaScript to deliver a phishing page and a malicious ZIP dropper. A retrohunt using a simple YARA signature based on Spanish comments found 523 related SVG samples dating back to August 14, 2025, all previously undetected by antivirus engines. #SVG #ColombianFiscalia

Keypoints

VirusTotal Code Insight expanded file-format analysis to include SWF and SVG, providing richer contextual reports for analysts.
One SWF sample appeared suspicious due to obfuscation and cryptographic functions but was identified as a legitimate ActionScript-based game with no malicious behavior observed.
An SVG sample evaded all antivirus engines but, per Code Insight, executed embedded JavaScript that decoded and injected a Base64 phishing HTML impersonating the Colombian judicial portal and forced download of a malicious ZIP archive.
A search for Code Insight indicators revealed 44 unique SVG files tied to the same phishing/malware campaign, all undetected by AV but flagged by Code Insight.
Attackers used obfuscation, polymorphism, and large amounts of dummy code; however, Spanish-language comments remained constant and served as an effective signature.
A simple YARA rule based on those comments yielded 523 matches in a retrohunt, with the earliest match from August 14, 2025, submitted from Colombia with zero detections at the time.
Distribution was primarily via email, and campaign artifacts included sender metadata, subjects, and attachment names, enabling further pivoting and investigation.

MITRE Techniques

[T1059] Command and Scripting Interpreter – Embedded JavaScript in SVG executes payloads and decodes Base64-encoded content: “This SVG file executes an embedded JavaScript payload upon rendering. The script decodes and injects a Base64-encoded HTML phishing page…”
[T1204.002] User Execution: Malicious File – The SVG simulates a file download and visually deceives users into interacting with the malicious content: “…it simulates a file download with a progress bar, while in the background, it decodes a second, large Base64 string, which is a malicious ZIP archive, and forces its download.”
[T1105] Ingress Tool Transfer – Hidden download of a malicious ZIP archive via script within the SVG that forces retrieval of the payload: “…decodes a second, large Base64 string, which is a malicious ZIP archive, and forces its download.”
[T1027] Obfuscated Files or Information – Use of code obfuscation, polymorphism, and large amounts of dummy code to increase entropy and evade static detection: “Code obfuscation techniques … use of polymorphism … large amounts of dummy (garbage) code to increase entropy and evade static detection.”
[T1598] Phishing – Creation of a convincing phishing lure that impersonates the Colombian Fiscalía General de la Nación to harvest trust and deliver malware: “…a Base64-encoded HTML phishing page impersonating a Colombian government judicial system portal… The phishing site includes case numbers, security tokens, and visual cues to build trust.”

Indicators of Compromise

[File Hash] Sample hashes – 350422c3915a8a1a1336147f89061b25c8354af58db0050e2f9ef2b384e59f62, 1527ef7ac7f79bb1a61747652fd6015942a6c5b18b4d7ac0829dd39842ad735d
[File Type / Names] Malicious document formats – SVG files impersonating Colombian judicial portal (multiple unique SVG samples), and large malicious ZIP archive embedded as Base64 in SVGs
[YARA Rule] Static signature context – Spanish comments like “POLIFORMISMO_MASIVO_SEGURO” and “Funciones dummy MASIVAS” used to detect campaign samples (rule produced 523 matches)
[Metadata] Submission and origin context – Earliest identified sample submitted from Colombia on August 14, 2025, and distribution via email with identifiable senders, subjects, and attachment names