- Emails impersonating the Attorney General's Office in Colombia distribute SVG attachments as decoys.
- "Custom" files per victim, automation, and evidence of AI use complicate detection.
- The infection chain ends by deploying AsyncRAT via DLL sideloading.
- 44 unique SVGs and over 500 artifacts have been seen since August, with low initial detection.
In Latin America there has been a wave of malicious campaigns with Colombia as the epicenter, where emails appearing to come from official organizations distribute unusual files to infect computers.
The hook is the same as always —social engineering with false subpoenas or lawsuits—, but the delivery method has taken a leap forward: SVG attachments with embedded logic, automated templates, and signals that point to AI-assisted processes.
An operation targeting users in Colombia
Messages impersonate entities such as the Attorney General's Office and include a .svg file whose size—often exceeding 10 MB—should already arouse suspicion. When you open it, instead of a legitimate document, you see a interface that simulates official procedures with progress bars and supposed verifications.
After a few seconds, the browser itself saves a Password protected ZIP, shown clearly within the same file, reinforcing the staging of a “formal” procedure. In one of the samples analyzed (SHA-1: 0AA1D24F40EEC02B26A12FBE2250CAB1C9F7B958), ESET security solutions identified it as JS/TrojanDropper.Agent.PSJ.
The shipment is not massive with a single attachment: Each recipient receives a different SVG, with random data that makes it unique. This “polymorphism” makes both automated filtering and the work of analysts difficult.
Telemetries show midweek activity peaks during August, with a higher incidence among users located in Colombia, suggesting a sustained campaign targeting that country.
The role of the SVG file and the smuggling trick
An SVG is a XML-based vector image format. This flexibility—text, styles, and scripts within the same file—allows attackers to incorporate hidden code and data without the need for visible external resources, a technique known as “SVG smuggling” and documented in MITRE ATT&CK.
In this campaign, the deception is executed within the SVG itself: a fake information page is rendered with controls and messages that, upon completion, cause the browser to save a ZIP package with an executable that initiates the next step of the infection.
Once the victim executes the downloaded content, the chain advances through DLL sideloading: A legitimate binary unknowingly loads a crafted library that goes undetected and allows the attacker to continue the intrusion.
The ultimate goal is to install AsyncRAT, a remote access Trojan capable of keylogging, file exfiltration, screen capture, control camera and microphone and steal credentials stored in browsers.
Automation and AI footprints in templates
The markup of the analyzed SVGs reveals Generic phrases, empty layout fields, and overly descriptive classes, in addition to striking substitutions—such as official symbols by emojis— that no real portal would use.
There are also clear passwords and supposed “verification hashes” that They are nothing more than MD5 strings without practical validity. Everything points to prefabricated kits or automatically generated templates to produce attachments in series with minimal human effort.
Evasion and campaign numbers
Sample sharing platforms have counted at least 44 unique SVGs employees in the operation and more than 500 related artifacts since mid-AugustThe first variants were heavy—around 25 MB—and were “tuned” over time.
To avoid controls, the samples use obfuscation, polymorphism, and large amounts of bloat code that confuse static analysis, which resulted in low initial detection by several engines.
The use of Spanish markers within the XML and repeated patterns allowed researchers to create hunting rules and signatures that, applied retrospectively, linked hundreds of shipments to the same campaign.
A second vector: combined SWF files
In parallel, it was observed SWF files disguised as 3D minigames, with ActionScript modules and AES routines that mixed functional logic with opaque components; a tactic that raises heuristic thresholds and delays their classification as malicious.
El SWF+SVG duo performed as bridge between legacy and modern formats: While the SWF was confusing the engines, the SVG injected an encoded HTML phishing page and left an additional ZIP with no user interaction beyond the initial click.
The combination of personalized samples per victim, bulky files and smuggling techniques explains that the filters based on reputation or simple patterns have not stopped the spread in the first waves.
What these findings draw is an operation that Take full advantage of the SVG format to impersonate Colombian organizations, automates the creation of attachments and culminates with AsyncRAT via DLL sideloading. When faced with any "subpoena" email that includes an .svg file or clear passwords, it's wise to be suspicious and validate through official channels before opening anything.
I am a technology enthusiast who has turned his "geek" interests into a profession. I have spent more than 10 years of my life using cutting-edge technology and tinkering with all kinds of programs out of pure curiosity. Now I have specialized in computer technology and video games. This is because for more than 5 years I have been writing for various websites on technology and video games, creating articles that seek to give you the information you need in a language that is understandable to everyone.
If you have any questions, my knowledge ranges from everything related to the Windows operating system as well as Android for mobile phones. And my commitment is to you, I am always willing to spend a few minutes and help you resolve any questions you may have in this internet world.