Threat actors are quietly turning Scalable Vector Graphics (SVG) files into precision-guided malware. In a surge of phishing campaigns, seemingly innocuous Once the recipient merely previews the file, hidden JavaScript executes inside the browser, triggering an invisible redirect chain that funnels victims to attacker infrastructure.<\/p>\n The lure emails are minimalist\u2014often a single icon or \u201cMissed Call\u201d<\/strong> teaser\u2014and exploit organisations that have weak SPF, DKIM or DMARC enforcement.<\/p>\n As the attachments bypass signature checks, the first line of defence fails; Ontinue analysts identified<\/a> the wave after correlating near-identical SVGs sent to B2B service providers and SaaS vendors, all containing distinct Base64 tracking strings that map each click to a workstation.<\/p>\n Since no executable is dropped, endpoint agents see only normal browser activity while credentials are siphoned off on well-crafted Microsoft 365 look-alike portals.<\/p>\n Beyond credential theft<\/a>, the technique exemplifies a broader strategic pivot: adversaries increasingly weaponise file formats that browsers render natively, removing the social-engineering friction of persuading users to run macros or installers.<\/p>\n Security controls that focus on executables, archives or scripts alone find themselves blind to these pixel-perfect stings.<\/p>\n Each malicious SVG embeds an obfuscated<\/a> payload between \u201c tags. A ten-byte XOR key masks the script, frustrating static scanners, while a two-stage routine reconstructs the redirect at runtime.<\/p>\n First, a short function iterates through the encrypted blob, returning plaintext; then it leverages the The revived script concatenates an As nothing is written to disk, persistence is irrelevant, and geofencing logic ensures sandboxes outside the target region receive benign pages.<\/p>\n Detecting the threat therefore hinges on deep content inspection that flags script tags inside image files or on correlating unusual Until such controls mature, organisations should quarantine unsolicited SVGs, enable content disarm and reconstruction, and move DMARC policies from monitoring<\/a> to reject.<\/p>\n Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams ->\u00a0Try ANY.RUN Now<\/a><\/strong><\/p>\n The post Threat Actors Weaponizing SVG Files to Embed Malicious JavaScript<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n.svg<\/code> attachments slip past secure email gateways because mail filters regard them as static images.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj06cpR-9t09vh8vEQ_R1v0y0OyWP0Iivz5H9ZrRM1xa05tWeiW4kxaWxSIwwdIrL7hwiv0bXMgeZBVP_3SkDdyv0ORFX_ZVgCio_XvtXG3Bx0wqxBlpwEDwX0CwN4uyavaEeVV23fRy0v7nPZIkch_HqQWXqaUJwFButSjBEH9BuLSKHInU4lxSFp2RPg\/s16000\/The%2520Recipient%25E2%2580%2599s%2520perspective%2520%28Source%2520-%2520Ontinue%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiYAmPFhKAY1SIwaMxvaZpCpwkjM7Lex_XV_94ZuaNQ9lLBbTTAC8s8dlZOE95nNxrfqEyc5NoK96wf76HpCM3R-jpfAgUe6UZk2zapyM4j-dk4ng3X38CJr8PYGq5uFnHFOw9II8wV_meqILe4gB-6NH7eUeFOGJmIK3FGvdtxR5Amz0rxtEs4ckuQw-8\/s16000\/Typical%2520M365%2520Credential%2520Phishing%2520%28Source%2520-%2520Ontinue%29.webp?ssl=1\")
Infection Mechanism: Self-Decoding JavaScript Smuggling<\/strong><\/h2>\n
Function<\/code> constructor to execute that code entirely in memory.<\/p>\natob()<\/code>-decoded domain with a victim-specific token before forcing navigation:-<\/p>\nwindow.location.href = atob(\n 'aHR0cHM6Ly93dnJ6LmxmdGt2b2cubmV0L...' \/\/ domain rotates daily\n) + token;<\/code><\/pre>\n.svg<\/code> command-line invocations with email telemetry.<\/p>\n