A sophisticated malware campaign targeting Colombian institutions through an unexpected vector: weaponized SWF and SVG files that successfully evade traditional antivirus detection.
The discovery emerged through VirusTotal’s newly enhanced Code Insight platform, which added support for analyzing these vector-based file formats just as attackers began exploiting them to impersonate the Colombian justice system.
Despite Adobe officially discontinuing Flash in 2020 and browsers ending support shortly after, SWF files continue to surface in malware campaigns.
VirusTotal processed 47,812 unique SWF files in the past month alone, with 466 flagged as malicious by at least one antivirus engine.
This persistence demonstrates how cybercriminals leverage forgotten technologies to their advantage, banking on reduced security focus for deprecated formats.
The technical complexity of analyzing SWF files presents significant challenges for security researchers. These binary, compiled files require sophisticated unpacking processes to extract meaningful intelligence.
Security platforms must decompress containers using zlib or LZMA compression, parse internal tag structures, and extract embedded ActionScript code before analysis can begin.
SVG: The Modern Attack Vector
While SWF represents attacks using obsolete technology, SVG files present a more contemporary threat.
As an active web standard, SVG files appear legitimate and rarely trigger security suspicions. VirusTotal received 140,803 unique SVG files last month, with 1,442 showing malicious behavior—maintaining the same approximate 1% detection rate as SWF files.
The XML-based nature of SVG files makes them particularly attractive to attackers. Malicious code can be embedded through JavaScript in script tags, event handlers, or obfuscated within CDATA sections and base64 payloads.
Because SVG content appears as plain text, distinguishing malicious logic from legitimate graphics code requires sophisticated analysis capabilities.
The most alarming discovery involves a coordinated phishing campaign specifically targeting Colombian citizens through fake government portals.
The malicious SVG executes a multi-stage attack upon rendering. First, it decodes and injects a base64-encoded HTML phishing page that convincingly replicates the government portal.
While victims interact with the fake interface, believing they’re downloading legitimate legal documents, the malware simultaneously decodes a second payload—a malicious ZIP archive that downloads automatically in the background.
VirusTotal Intelligence, we can search through our massive sample collection using hundreds of parameters, including queries that look inside Code Insight reports.
Investigation revealed this wasn’t an isolated incident. Using advanced search capabilities, researchers discovered 44 additional unique SVG files, all undetected by traditional antivirus solutions but identified through behavioral analysis.
The campaign showed clear signs of sophistication, including code obfuscation, polymorphic variations, and substantial amounts of dummy code designed to increase file entropy and evade static detection methods.
Technical Evasion Tactics
The attackers demonstrated advanced understanding of security detection mechanisms. Each malicious file contained slightly different code structures while maintaining core functionality—a technique known as polymorphism that prevents signature-based detection.
Sorting by submission time, the first sample dates back to August 14, 2025, also submitted from Colombia, and also with 0 antivirus detections at the time.
Security researchers identified an undetected SVG file that perfectly mimicked the Colombian Fiscalía General de la Nación (Attorney General’s Office), complete with authentic-looking case numbers, security tokens, and official branding.
Spanish-language comments discovered in the source code, including phrases like “POLIFORMISMO_MASIVO_SEGURO” (massive secure polymorphism), provided insights into the attackers’ methodology and eventually became detection signatures.
Despite these sophisticated evasion techniques, the malware authors made critical operational security mistakes.
Consistent comment patterns across all samples enabled researchers to develop detection rules that identified 523 related files spanning nearly a year of activity.
The earliest samples, dating to August 2025, were significantly larger at approximately 25MB, suggesting ongoing payload refinement and optimization.
Analysis of delivery mechanisms revealed email as the primary distribution vector for the malicious SVG files.
This approach allows attackers to leverage social engineering alongside technical exploitation, increasing success rates by targeting recipients with official-looking government correspondence.
The combination of email delivery and government impersonation creates a highly effective attack vector, particularly in regions where digital literacy may be limited.
The campaign’s focus on Colombian institutions suggests either targeted intelligence gathering or financial fraud operations.
Government impersonation attacks often aim to harvest sensitive personal information, banking credentials, or identity documents that can be monetized through various criminal enterprises.
Mitigations
Traditional antivirus solutions struggle with these attacks because they rely heavily on signature-based detection and behavioral analysis of executable files.
SVG files, being text-based graphics formats, often receive minimal scrutiny from security tools. Even when suspicious, the legitimate uses of JavaScript within SVG files make distinguishing malicious behavior extremely challenging without sophisticated analysis capabilities.
The success of this campaign highlights critical gaps in current cybersecurity defenses. Organizations must expand their security postures beyond traditional executable malware to include document formats, graphics files, and other seemingly benign content types that can carry malicious payloads.
This discovery represents a broader trend toward format diversification in malware distribution.
As security tools become more effective against traditional attack vectors, cybercriminals continuously adapt by exploiting less-monitored file types and leveraging social engineering to bypass technical controls.
The Colombian campaign demonstrates how attackers can achieve remarkable success with relatively simple techniques when they identify underprotected attack surfaces.
The zero detection rates across multiple antivirus engines for weeks or months indicate that current security infrastructures require substantial improvements in analyzing non-executable file formats.
Security professionals must recognize that effective cybersecurity requires comprehensive coverage across all file types and formats that can execute code or manipulate user systems.
The combination of technical sophistication with social engineering tactics creates particularly dangerous threats that demand both technological solutions and user education initiatives.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
