In early August 2025, a sophisticated malware campaign emerged, targeting users in Colombia and potentially extending its reach globally. This operation uniquely leveraged two vector-based file formats—Adobe Flash SWF and Scalable Vector Graphics (SVG)—to orchestrate a multi-phase attack that successfully circumvented traditional antivirus defenses.
Initial Discovery and Investigation
The campaign first came to light when a seemingly innocuous SWF file named `Sequester.swf` triggered alerts in only a few antivirus engines, prompting cybersecurity researchers to delve deeper into its contents. Shortly thereafter, a related SVG file surfaced, embedding advanced JavaScript payloads designed to impersonate the Colombian Fiscalía General de la Nación portal. The attackers’ seamless transition between these legacy and modern formats caught many security teams off guard.
Anatomy of the SWF Component
The SWF file masqueraded as a legitimate 3D puzzle game, complete with ActionScript modules for rendering, pathfinding, and cryptographic routines. While some antivirus engines flagged obfuscated classes and AES routines, they failed to recognize that this code was integral to the game’s mechanics rather than indicative of malicious behavior. This clever disguise allowed the malware to evade detection and establish a foothold on the victim’s system.
The SVG Variant’s Role
The SVG component played a pivotal role in the attack chain. It contained inline JavaScript that decoded a Base64-encoded phishing page and silently dropped a ZIP archive containing additional payloads. This combination of vectors created a multifaceted threat that slipped past detection barriers with alarming ease. When rendered in a browser, the script would decode and inject an HTML phishing interface, complete with progress bars and authentic-looking forms that mimicked official government communications.
Detection and Analysis
VirusTotal analysts expanded their support for SWF and SVG analysis in Code Insight, uncovering dozens of related samples within hours of the initial submissions. By searching for Spanish-language comments left by the attackers—strings such as `POLIFORMISMO_MASIVO_SEGURO` and `Funciones dummy MASIVAS`—researchers identified a cohesive campaign spanning more than 40 unique SVG files, none of which had raised flags in standard antivirus scans. The early presence of these markers allowed for rapid signature creation and retrohunt jobs, yielding over 500 matches when applied to submissions from the previous year.
Evasion Techniques Employed
Central to this campaign’s success was the layering of obfuscation and polymorphism. Each SWF sample employed variable renaming, garbage code insertion, and custom packing routines to defeat static analysis. The attackers distributed large, obfuscated SWF files that blended game code with encryption routines, exploiting heuristic thresholds. Simultaneously, the SVG files embedded encrypted JavaScript in CDATA sections, evading simple pattern matching.
Technical Details of the SVG Payload
The SVG payload concealed its primary logic within nested Base64 strings. For example:
“`javascript
// POLIFORMISMO_MASIVO_SEGURO: 2025-09-01T16:39:16.808557
var payload = atob(UE…VUM+Cg==);
document.write(payload);
“`
This technique allowed the malicious code to remain hidden until execution, further complicating detection efforts.
YARA Rule Development
To combat this threat, VirusTotal researchers crafted a YARA rule targeting the consistent Spanish comments found in the malicious SVG files:
“`yara
rule svg_colombian_campaign {
strings:
$c1 = Funciones dummy MASIVAS
$c2 = POLIFORMISMO_MASIVO_SEGURO
condition:
uint16(0) == 0x3C3F and any of ($c)
}
“`
This rule achieved over 523 detections when retrohunted against a year’s worth of submissions, demonstrating its effectiveness in identifying related malware samples.
Implications and Recommendations
This campaign underscores the evolving tactics of cybercriminals who exploit both legacy and modern file formats to bypass detection mechanisms. The use of SWF and SVG files, formats often considered benign, highlights the need for context-aware analysis in contemporary threat defense. Organizations are advised to:
– Enhance Detection Capabilities: Implement advanced threat detection systems capable of analyzing complex file formats and identifying obfuscated code.
– Educate Users: Conduct regular training sessions to raise awareness about the risks associated with opening unsolicited email attachments, even those appearing to be harmless image or game files.
– Update Security Protocols: Regularly update antivirus signatures and employ heuristic analysis to detect polymorphic malware.
– Monitor Network Traffic: Keep an eye on network traffic for unusual patterns that may indicate the presence of malware communicating with command-and-control servers.
By adopting these measures, organizations can better defend against sophisticated malware campaigns that exploit unconventional file formats to evade detection.
