An Old Vector for New Attacks: How Obfuscated SVG Files Redirect Victims

    Monday, April 7, 2025 In: Threat Research Print

    Date: 04/07/2025

    Severity: High

    Summary

    The blog explores the growing use of Scalable Vector Graphics (SVG) files in phishing and malware campaigns. SVG files, which are based on XML, can embed malicious JavaScript, making them an attack vector. The blog focuses on one technique—standalone SVG attachments—where malicious files trigger automatic browser redirects when opened, bypassing URL scanning protections. Recent campaigns have used various themes, such as voice notes and bank transfer details, employing obfuscation tactics to evade detection and trick victims into visiting phishing sites.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://abe87c29.46b20494-8a43-4c49-8a51-bc2a41cc9c27-e624a29b-c629-4f2f-99.pages.dev/voiceseses

    https://jutebagbd.com/js/bWFnYXppbmVAcG93ZXJhbmRtb3RvcnlhY2h0LmNvbQ==

    vacilandos.com

    zfilesharouts.one

    thajy.cotrustsystem.com

    test.landgerichtberlin.com

    Hash

    69c9937ae2ddb81a55385aadb3751e572026fa5d

    443e4d40c3b80741991a24527f50361d7d871932

    0360f680476d8ef97c2a7a3f69f86f5fb39e6bd1

    06b446f3ffd972de9d30103ea3f824648a81ce63

    Sender

    TOBi@tobincenter.org

    info@cazareinfelix.ro

    steve@stackgrouprealty.com

    @bgfbv.onmicrosoft.com

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    domainname like "zfilesharouts.one" or siteurl like "zfilesharouts.one" or url like "zfilesharouts.one" or domainname like "thajy.cotrustsystem.com" or siteurl like "thajy.cotrustsystem.com" or url like "thajy.cotrustsystem.com" or domainname like "https://abe87c29.46b20494-8a43-4c49-8a51-bc2a41cc9c27-e624a29b-c629-4f2f-99.pages.dev/voiceseses" or siteurl like "https://abe87c29.46b20494-8a43-4c49-8a51-bc2a41cc9c27-e624a29b-c629-4f2f-99.pages.dev/voiceseses" or url like "https://abe87c29.46b20494-8a43-4c49-8a51-bc2a41cc9c27-e624a29b-c629-4f2f-99.pages.dev/voiceseses" or domainname like "https://jutebagbd.com/js/bWFnYXppbmVAcG93ZXJhbmRtb3RvcnlhY2h0LmNvbQ==" or siteurl like "https://jutebagbd.com/js/bWFnYXppbmVAcG93ZXJhbmRtb3RvcnlhY2h0LmNvbQ==" or url like "https://jutebagbd.com/js/bWFnYXppbmVAcG93ZXJhbmRtb3RvcnlhY2h0LmNvbQ==" or domainname like "vacilandos.com" or siteurl like "vacilandos.com" or url like "vacilandos.com" or domainname like "test.landgerichtberlin.com" or siteurl like "test.landgerichtberlin.com" or url like "test.landgerichtberlin.com"

    Detection Query 2

    hash in ("69c9937ae2ddb81a55385aadb3751e572026fa5d","443e4d40c3b80741991a24527f50361d7d871932","0360f680476d8ef97c2a7a3f69f86f5fb39e6bd1","06b446f3ffd972de9d30103ea3f824648a81ce63")

    Detection Query 3

    		sender like "TOBi@tobincenter.org"  OR senderdomain like "TOBi@tobincenter.org" OR sender like "info@cazareinfelix.ro"  OR senderdomain like "info@cazareinfelix.ro" OR sender like "steve@stackgrouprealty.com"  OR senderdomain like "steve@stackgrouprealty.com" OR sender like "@bgfbv.onmicrosoft.com"  OR senderdomain like "@bgfbv.onmicrosoft.com"

    Reference:  

    https://www.forcepoint.com/blog/x-labs/obfuscated-svg-files-redirect-victims

     


    Tags

    MalwarePhishingSVGObfuscation

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.