VirusTotal has uncovered a sophisticated phishing campaign that leverages SVG (Scalable Vector Graphics) files to bypass traditional antivirus detection while impersonating Colombia's judicial system. The campaign was discovered after VirusTotal added SVG support to its AI Code Insight platform, which uses machine learning to analyze suspicious behavior in uploaded files.
Campaign discovery and scale
The malicious SVG files initially showed zero detections by conventional antivirus scans but were flagged by VirusTotal's AI-powered Code Insight feature for suspicious JavaScript execution and HTML rendering capabilities. Following the initial discovery, VirusTotal identified 523 previously uploaded SVG files that were part of the same campaign, all of which had evaded detection by traditional security software.
Modus operandi
The SVG files exploit the element to display HTML content and execute JavaScript when loaded. These files create convincing fake portals impersonating Colombia's Fiscalía General de la Nación (Office of the Attorney General), complete with case numbers, security tokens, and official government branding to build victim trust.
When users interact with these fake portals, they see a phony download progress bar that simulates an official government document download process. While victims believe they are downloading legitimate legal documents, the malware simultaneously triggers the download of a password-protected ZIP archive in the background .
Malware payload
Analysis of the extracted ZIP files reveals a multi-component attack containing four files: a legitimate Comodo Dragon web browser executable renamed to appear as an official judicial document, a malicious DLL, and two encrypted files. When the user opens the executable, the malicious DLL is sideloaded to install additional malware on the system.
Evasion techniques
The campaign demonstrates sophisticated evasion tactics including obfuscation, polymorphism, and substantial amounts of dummy code designed to increase file entropy and avoid static detection methods. The attackers evolved their payloads over time, with earlier samples being larger (around 25 MB) and later versions becoming more streamlined.
Detection challenges
SVG files present unique security challenges because they can contain executable JavaScript while appearing as harmless image files to users and many security tools. Traditional antivirus solutions struggle to analyze the XML-based SVG format effectively, making AI-powered behavioral analysis crucial for detection.
The campaign highlights the growing trend of threat actors exploiting SVG files for phishing attacks, as these files can embed malicious scripts that execute automatically while maintaining the appearance of legitimate graphics. VirusTotal's AI Code Insight platform proved essential in exposing this campaign, demonstrating how machine learning can identify threats that traditional signature-based detection methods miss .
