A newly discovered phishing campaign uses malicious SVG files to impersonate Colombia’s judicial system and deliver malware, with all samples evading detection by traditional antivirus engines at the time of discovery. The campaign, uncovered by VirusTotal’s AI-powered Code Insight feature, represents a significant evolution in attack methodology that leverages trusted file formats to bypass security controls1.
The attack begins with an email containing an SVG attachment. When opened, the SVG executes embedded JavaScript that decodes a Base64-encoded HTML phishing page designed to mimic Colombia’s Fiscalía General de la Nación judicial portal. The fake portal displays a progress bar to simulate file download activity, building user trust before decoding a second Base64 string into a malicious ZIP archive and triggering its download1.
Technical Analysis of the SVG Attack Vector
The SVG files employed sophisticated obfuscation techniques to evade detection. Attackers used polymorphic code with slight variations in each file and inserted massive amounts of garbage “dummy” code to increase entropy and complicate static analysis. Despite these variations, Spanish-language comments like “POLIFORMISMO_MASIVO_SEGURO” (Massive Safe Polymorphism) and “Funciones dummy MASIVAS” (Massive Dummy Functions) remained consistent across samples, providing a unique signature for detection1.
Analysis by BleepingComputer revealed additional details about the final payload. The downloaded ZIP file was password-protected, with the password displayed on the fake portal. The ZIP contained a legitimate, renamed Comodo Dragon executable configured for DLL sideloading, a malicious DLL, and encrypted files. The malicious DLL itself had zero detections on VirusTotal at the time of analysis1.
Campaign Scale and Evolution
VirusTotal’s investigation uncovered 44 unique SVG files linked to the campaign, all with zero antivirus detections when discovered. A retrohunt using a YARA rule based on the Spanish comments identified 523 matching samples, with the earliest dating back to August 14, 2025, also submitted from Colombia. The campaign showed clear evolution in tactics, with early samples being excessively large (approximately 25 MB) and file sizes decreasing over time as attackers refined their techniques for efficiency and stealth1.
This campaign was actually documented weeks earlier by researcher Yealvare, who analyzed an SVG file of approximately 11 MB that used an onclick=”abrirPortal()” event to trigger the decoding of a Base64 payload. The payload was a password-protected ZIP file containing a malicious DLL that also had zero detections on VirusTotal and Hybrid Analysis2.
Broader Context of Evasive Phishing Techniques
The SVG-based attack is part of a larger trend where threat actors abuse trusted file formats and platforms to bypass security controls. Research from Intezer documented four key evasive phishing techniques emerging in 2025, including SVG with Base64-JS, malicious URLs hidden in PDF annotations, OneDrive-hosted phishing with dynamic JavaScript, and MHT files embedded in OpenXML documents for QR code phishing (“quishing”)3.
These techniques represent a shift toward structural and contextual obfuscation that requires deep, format-aware inspection combined with dynamic analysis to detect. The PDF annotation technique, for example, remained undetected on VirusTotal for 15 days despite containing malicious links hidden in metadata arrays invisible to users and most static link extraction tools3.
Defensive Recommendations and Mitigation Strategies
The consistent recommendation across multiple security advisories is to block SVG files at enterprise email security gateways. This proactive measure can prevent initial infection vectors before the malicious content reaches end users. The New Jersey Cybersecurity & Communications Integration Cell confirmed that “in multiple cases, these SVG files are not flagged as malicious,” validating the widespread nature of the evasion problem4.
Effective defense requires moving beyond conventional tools toward multi-layered strategies incorporating AI-powered detection and continuous monitoring. Advanced semantic and thematic analysis that correlates email subject lines (such as “voicemail” notifications) with malicious SVG features may prove more effective than traditional payload-dependent detection for countering these evasive threats5.
Security teams should implement YARA rules based on the consistent Spanish-language comments found in these samples. The simple signature proved effective for identifying hundreds of previously undetected samples through retrohunting. Additionally, monitoring for large SVG files (particularly those over 1MB) in email traffic can help identify potential threats, as most legitimate SVG files used for web graphics are significantly smaller.
The campaign highlights the critical role of advanced AI analysis and threat intelligence in combating evolving threats that systematically bypass traditional security solutions. As attackers continue to refine their techniques, security teams must adopt more sophisticated analysis methods that can detect threats based on behavior and context rather than relying solely on signature-based detection.
