VirusTotal has uncovered a sophisticated phishing campaign that uses SVG (Scalable Vector Graphics) files to impersonate Colombia’s judicial system, tricking victims into downloading malware.
The discovery was made possible after the platform’s AI-powered Code Insight feature added support for analyzing SVGs, enabling it to detect malicious behavior that traditional antivirus engines missed.
SVG files are typically used to create images from lines, shapes, and text, but cybercriminals have increasingly exploited their ability to embed HTML using the element and execute JavaScript.
In this case, the attackers crafted SVGs that rendered convincing portals mimicking Colombia’s judiciary, complete with case numbers, security tokens, and official-looking design elements to inspire trust. When opened, the fake portal displayed a simulated download progress bar and instructed users to retrieve a password-protected ZIP archive.
The password itself was provided directly on the spoofed page, reinforcing the illusion of legitimacy.
Once extracted, the archive contained four files, including a legitimate executable from the Comodo Dragon web browser that had been renamed to appear as an official judicial document.
Alongside it was a malicious DLL designed for sideloading, as well as two encrypted files. If the victim ran the executable, the DLL would be silently loaded to install further malware on the system, expanding the attack’s reach.
The initial detection of one malicious SVG led to a broader investigation, with VirusTotal identifying 523 additional SVG files that had been previously uploaded to its platform but evaded detection by conventional security software.
This scale highlights both the effectiveness of the attackers’ strategy and the potential blind spots in existing defences.
VirusTotal emphasized that its Code Insight AI played a critical role in exposing the campaign.
Unlike signature-based antivirus tools, the AI system generates contextual summaries of suspicious code, flagging behaviors such as JavaScript execution within SVGs.
“This is where Code Insight helps most: giving context, saving time, and helping focus on what really matters. It’s not magic, and it won’t replace expert analysis, but it’s one more tool to cut through the noise and get to the point faster,” the company noted.
The case underscores the growing trend of cybercriminals exploiting unconventional file formats like SVGs to bypass security checks.
As attackers innovate, experts warn that organizations must evolve their defences with AI-driven detection to close gaps left by traditional tools.
