A previously unseen malware campaign began circulating in early August 2025, through email attachments and web downloads, targeting users in Colombia and beyond.<\/p>\n
By leveraging two distinct vector-based file formats\u2014Adobe Flash SWF and Scalable Vector Graphics (SVG)\u2014the attackers crafted a multiphase operation that evaded traditional antivirus detection.<\/p>\n
Initial reports surfaced when a benign-looking SWF file named Within days, a companion SVG file emerged, embedding sophisticated JavaScript payloads designed to impersonate the Colombian Fiscal\u00eda General de la Naci\u00f3n portal.<\/p>\n The seamless pivot between legacy and modern formats caught many security teams off guard.<\/p>\n The SWF component masqueraded as a legitimate 3D puzzle game, complete with ActionScript modules for rendering, pathfinding, and cryptographic routines.<\/p>\n While antivirus engines<\/a> flagged obfuscated classes and AES routines, they failed to recognize that this code served legitimate game mechanics rather than malicious behavior.<\/p>\n Meanwhile, the SVG variant contained inline JavaScript that decoded a Base64 phishing page and silently dropped a ZIP archive containing additional payloads.<\/p>\n The combination of these two vectors created a multiheaded threat that slipped past detection barriers with alarming ease.<\/p>\n VirusTotal analysts noted<\/a> that upon expanding support for SWF and SVG analysis in Code Insight, they were able to uncover dozens of related samples within hours of the initial submissions. <\/p>\n By searching for Spanish-language comments left by the attackers\u2014strings such as The early presence of these markers allowed rapid signature creation and retrohunt jobs, yielding over 500 matches when applied to submissions from the previous year.<\/p>\n The heart of the operation lay in its evasion tactics. By distributing large, obfuscated<\/a> SWF files that blended game code with encryption routines, the attackers exploited heuristic thresholds.<\/p>\n At the same time, the SVG files embedded encrypted JavaScript<\/a> in CDATA sections, evading simple pattern matching.<\/p>\n When rendered in a browser, the script would decode and inject an HTML phishing interface, complete with progress bars and authentic-looking forms that mimicked official government communications .<\/p>\n Central to this campaign\u2019s success was the layering of obfuscation and polymorphism. Each SWF sample employed variable renaming, garbage code insertion, and custom packing routines to defeat static analysis.<\/p>\n The following excerpt illustrates how the SVG payload concealed its primary logic within nested Base64 strings:-<\/p>\n Meanwhile, the YARA rule crafted by VirusTotal researchers targeted the consistent Spanish comments:-<\/p>\n This rule achieved over 523 detections when retrohunted against a year\u2019s worth of submissions.<\/p>\n By combining heuristic bypasses, encrypted payloads, and intentional misdirection, the attackers demonstrated a refined understanding of both legacy and modern file formats\u2014underscoring the urgent need for context-aware analysis in contemporary threat defense<\/a>.<\/p>\n The post Colombian Malware Weaponizing SWF and SVG to Bypass Detection<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nSequester.swf<\/code> triggered alerts in only a handful of antivirus engines, prompting deeper investigation.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEin57WWY1itC7YjMGFZ3CVIN_JBVXMRCti9n9K_Jx38Oy-4gTDi6_eoGCOzc6rDmj5oyM8JLOw1OLskzb7tkZJpxX0187NgoexizlVUY-RxsuIunjj4IPNtRA3X5dm-IRSl8FuxINCuW2_OqkqzRgWaEuPkbut6MQNXO10ooAi8l0ZXMQ1w-JSQvr3Wwxg\/s16000\/Malicious%2520file%2520%28Source%2520-%2520VirusTotal%29.webp?ssl=1\")
\"POLIFORMISMO_MASIVO_SEGURO\"<\/code> and \"Funciones dummy MASIVAS\"<\/code>\u2014researchers identified a cohesive campaign spanning more than 40 unique SVG files, none of which had raised flags in standard antivirus scans.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi20os_qFAMp2ZOKWRWH3kdVAic6iE9PUTTXBJ1GsFBuW4Wmv5YxC8yd86YUzzY5Qo-cKAsjTKqm6EVLfj3LF_PS26s5Pr7BsI-LSN3d48N3mYuwfoxs6F-7esBE5wxT0mxoQb9suOW37pCQsesYURUpSYMWsgpA-yPSMngVkmpMMqm7oih26SoJFrUgHc\/s16000\/This%2520SVG%2520file%2520executes%2520an%2520embedded%2520JavaScript%2520payload%2520upon%2520rendering%2520%28Source%2520-%2520VirusTotal%29.webp?ssl=1\")
Detection Evasion Techniques<\/strong><\/h2>\n
\/\/ POLIFORMISMO_MASIVO_SEGURO: 2025-09-01T16:39:16.808557\nvar payload = atob(\"UE...VUM+Cg==\");\ndocument. Write(payload);<\/code><\/pre>\nrule svg_colombian_campaign {\n strings:\n $c1 = \"Funciones dummy MASIVAS\"\n $c2 = \"POLIFORMISMO_MASIVO_SEGURO\"\n condition:\n uint16(0) == 0x3C3F and any of ($c*)\n}<\/code><\/pre>\nBoost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n