Hackers Weaponizing SVG Files With Malicious Embedded JavaScript to Execute Malware on Windows Systems

Cybercriminals have begun exploiting Scalable Vector Graphics (SVG) files as sophisticated attack vectors, transforming seemingly harmless image files into potent phishing weapons capable of executing malicious JavaScript on Windows systems.

This emerging threat leverages the XML-based structure of SVG files to embed and execute malicious scripts when opened in default web browsers, bypassing traditional security measures that typically focus on conventional executable files.

Unlike standard image formats such as JPEG or PNG that store pixel data, SVG files utilize XML-based code to define vector paths, shapes, and text elements.

This fundamental difference creates an opportunity for attackers to embed JavaScript code within the file structure, which executes automatically when the SVG file is opened in a browser.

The attack primarily targets Windows systems where SVG files launch in default web browsers, enabling immediate script execution without user intervention beyond opening the file.

Seqrite security researchers have identified a sophisticated campaign employing this technique, observing attackers distributing malicious SVG files through spear-phishing emails with deceptive subject lines like “Reminder for your Scheduled Event” and attachments named “Upcoming Meeting.svg” or “Your-to-do-List.svg.”

The campaign also utilizes cloud storage platforms including Dropbox, Google Drive, and OneDrive to distribute malicious files while evading email security filters.

The attack demonstrates remarkable technical sophistication, with threat actors leveraging multiple evasion techniques to maintain persistence and avoid detection by traditional security solutions.

Technical Infection Mechanism and Code Obfuscation

The malicious SVG files contain embedded “ tags within CDATA sections to conceal malicious logic from basic content scanners. Security researchers discovered that attackers employ a hex-encoded string variable (Y) paired with a short XOR key (q) for payload obfuscation.

When processed, this encoded data decrypts into executable JavaScript that utilizes window.location = 'javascript:' + v; syntax to redirect victims to phishing sites.

Upon successful decryption, the payload redirects users to command-and-control infrastructure, specifically hxxps://hju[.]yxfbynit[.]es/koRfAEHVFeQZ!bM9, which employs Cloudflare CAPTCHA gates before presenting convincing Office 365 login forms designed for credential harvesting.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial