{"id":6186,"date":"2025-08-16T05:03:43","date_gmt":"2025-08-16T05:03:43","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/08\/16\/trojans-embedded-in-svg-files-html\/"},"modified":"2025-08-16T05:03:43","modified_gmt":"2025-08-16T05:03:43","slug":"trojans-embedded-in-svg-files-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/08\/16\/trojans-embedded-in-svg-files-html\/","title":{"rendered":"Trojans Embedded in .svg Files"},"content":{"rendered":"\n<div>Trojans Embedded in .svg Files<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Porn sites are <a href=\"https:\/\/arstechnica.com\/security\/2025\/08\/adult-sites-use-malicious-svg-files-to-rack-up-likes-on-facebook\/\">hiding code<\/a> in .svg files:<\/p>\n<blockquote>\n<p>Unpacking the attack took work because much of the JavaScript in the .svg images was heavily obscured using a custom version of \u201cJSFuck,\u201d a technique that uses only a handful of character types to encode JavaScript into a camouflaged wall of text.<\/p>\n<p>Once decoded, the script causes the browser to download a chain of additional obfuscated JavaScript. The final payload, a known malicious script called Trojan.JS.Likejack, induces the browser to like a specified Facebook post as long as a user has their account open.<\/p>\n<p>\u201cThis Trojan, also written in Javascript, silently clicks a \u2018Like\u2019 button for a Facebook page without the user\u2019s knowledge or consent, in this case the adult posts we found above,\u201d Malwarebytes researcher Pieter Arntz wrote. \u201cThe user will have to be logged in on Facebook for this to work, but we know many people keep Facebook open for easy access.\u201d<\/p>\n<\/blockquote>\n<p>This isn\u2019t a new trick. We\u2019ve seen Trojaned .svg files before.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Bruce Schneier<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/www.schneier.com\/blog\/archives\/2025\/08\/trojans-embedded-in-svg-files.html\">Go to bruce schneier<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trojans Embedded in .svg Files Porn sites are hiding code in .svg files: Unpacking the attack took work because much of the JavaScript in the .svg images was heavily obscured using a custom version of \u201cJSFuck,\u201d a technique that uses only a handful of character types to encode JavaScript into a camouflaged wall of text. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,258,1716,1],"tags":[87],"class_list":["post-6186","post","type-post","status-publish","format-standard","hentry","category-bruce-schneier","category-malware","category-pornography","category-uncategorized","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6186"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=6186"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6186\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=6186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=6186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=6186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}