In recent years, cybercriminals have increasingly exploited Scalable Vector Graphics (SVG) files to bypass traditional security measures and deliver malicious payloads. SVG files, commonly used for web graphics, are XML-based and can embed scripts, hyperlinks, and interactive elements, making them an attractive vector for cyberattacks.
The Evolution of SVG-Based Attacks
The misuse of SVG files in cyberattacks dates back to 2015 when they were first employed to deliver ransomware by embedding malicious content. In 2017, SVG files were used to distribute the Ursnif malware. A significant incident occurred in 2022, where SVG files containing embedded .zip archives delivered QakBot malware via HTML smuggling—a tactic different from previous external content downloads. More recently, SVG files have been utilized to exploit Roundcube servers and deliver malware such as Agent Tesla Keylogger and XWorm RAT. These instances underscore the versatility of SVG files in various malicious campaigns.
Mechanisms of SVG-Based Attacks
Cybercriminals employ several techniques to exploit SVG files:
1. HTML Smuggling: This method involves embedding malicious code within an HTML or SVG file. When the file is opened, the code executes locally, assembling and running the malware on the victim’s machine. This technique can bypass security devices designed to filter malicious content in transit.
2. Embedded Scripts and Hyperlinks: SVG files can contain embedded JavaScript and hyperlinks. When a user opens a malicious SVG file, these scripts can redirect them to phishing sites or download additional malware.
3. Obfuscation Techniques: Attackers often obfuscate malicious code within SVG files using Base64 encoding or other methods to evade detection by security software.
Recent Campaigns and Observations
In early 2025, cybersecurity researchers observed a significant increase in SVG-based attacks. These attacks often involve phishing emails with SVG attachments that, when opened, execute embedded scripts to redirect users to credential-harvesting websites or deliver malware. The flexibility of SVG files allows them to evade security filters, as many solutions do not deeply inspect SVG files for embedded scripts.
For instance, a campaign was identified where SVG files were used to deliver the GUloader malware. The attack began with a spam email containing an SVG file. When opened, the SVG file executed a script that downloaded a ZIP file containing a Windows Script File (WSF). The WSF then executed a PowerShell command to connect to a malicious domain and execute hosted content, including shellcode injected into the MSBuild application. This multi-stage attack highlights the sophisticated use of SVG files in delivering malware.
Mitigation Strategies
To protect against SVG-based attacks, consider the following strategies:
1. Configure File Associations: Set SVG files to open in text editors rather than browsers to prevent automatic execution of embedded scripts.
2. Exercise Caution with Attachments: Avoid opening attachments from unknown senders or emails with unusual subject lines.
3. Verify URLs: Always check the browser’s address bar to ensure the URL is legitimate, especially when prompted to enter credentials.
4. Update Security Software: Regularly update antivirus software and operating systems to detect and mitigate emerging threats.
The increasing use of SVG files in cyberattacks underscores the need for heightened vigilance and proactive security measures. By understanding the mechanisms of these attacks and implementing appropriate defenses, individuals and organizations can better protect themselves against this evolving threat.
