CybserSecurity News

Tag: SVG

  • Tykit Phishing: SVG Malware Used to Steal Microsoft 365 Credentials

    A multi-stage phishing campaign known as Tykit has been targeting Microsoft 365 corporate users, actively employed to steal login credentials. Researchers at ANY.RUN have observed a surge in its activity since May 2025, reaching its peak in the autumn months. In several instances, the campaign led to hundreds of compromised accounts, predominantly within the financial sector.

    The defining feature of the attack lies in the use of SVG files containing JavaScript code, which employs XOR obfuscation to conceal the malicious payload and redirect victims to fraudulent Microsoft login pages. These elements were consistently identified across all analyzed samples, with the associated servers sharing similar domain patterns and uniform client-side logic structures.

    The counterfeit login pages perfectly mimic the Microsoft 365 interface and are hosted on auto-generated domains featuring a parameter such as “/?s=,” which contains the victim’s email address encoded in Base64. Communication with the attackers’ command-and-control servers occurs in several stages: the system first verifies the entered email address, then displays a password prompt, and finally exfiltrates the stolen credentials. The malicious scripts include anti-debugging mechanisms, such as disabling DevTools and context menus, as well as a Cloudflare Turnstile CAPTCHA to deter automated analysis.

    Data capture is executed through JSON requests sent to endpoints such as “/api/validate” and “/api/login.” The first validates the entered email address, while the second transmits the captured username and password. The server then controls page behavior—displaying an error message, simulating a second login attempt, or redirecting the user to the legitimate Microsoft site to conceal traces of the intrusion. Additional logic enables debug data transmission via “/x.php” under certain conditions.

    The campaign’s primary targets include organizations across the United States, Canada, Europe, Latin America, Southeast Asia, and the Middle East, spanning industries such as construction, consulting, IT, telecommunications, education, public administration, and retail. The employed attack chain can bypass multi-factor authentication by intercepting tokens, allowing adversaries to maintain persistence and move laterally within compromised networks.

    Infrastructure components linked to Tykit strongly suggest a Phishing-as-a-Service (PhaaS) model—featuring segregated delivery and data collection servers, as well as license-like authentication keys used by affiliated operators.

    ANY.RUN’s analysis identified several indicators of compromise, including distinct SVG signatures, JavaScript functions such as eval() and parseInt(), and repeated variable and logic patterns. The team developed detection rules capable of identifying Tykit activity both in file artifacts and network traffic, with special attention to domains beginning with “segy,” following patterns like “loginmicr(o|0)s…cc,” and requests containing the “/?s=” parameter.

    To mitigate such threats, experts recommend inspecting the contents of SVG files, sandboxing suspicious attachments, adopting phishing-resistant authentication methods, and monitoring anomalous network requests. Raising employee awareness and deploying automated analysis tools are also crucial for reducing incident response time and minimizing the window of exposure.

  • Microsoft Discontinues Embedded SVG Support in Outlook for Enhanced Security

    In September 2025, Microsoft began gradually discontinuing support for embedded SVG images in Outlook for the web and the new Outlook client for Windows. The company explained this decision as part of its enhanced security measures and an effort to align Outlook’s functionality with other email services that have long restricted the direct rendering of such files within email bodies.

    Henceforth, embedded graphics in emails will appear as blank spaces. According to Microsoft, SVGs account for less than 0.1% of all images in Outlook, meaning the change will have a negligible impact on most users. Attached SVG files, however, will remain available for download and viewing as standard attachments.

    The global rollout began in early September and concluded by mid-month. For government cloud environments — GCC, GCC-High, DoD, and Gallatin — the timeline was slightly adjusted: deployment began in late September and is scheduled to finish by mid-October. Initially, Microsoft intended to complete the process by the end of September but later revised its schedule.

    The company emphasized that neither users nor administrators need to take any action — the transition is entirely automated and requires no manual configuration. Organizations are merely advised to update internal documentation and inform employees who might rely on embedded SVG files in their communications.

    This restriction stems from potential security risks associated with processing SVG graphics, which can, in some cases, contain scriptable elements and be exploited for attacks such as cross-site scripting (XSS). By implementing this change, Microsoft aims to minimize vulnerabilities and strengthen the protection of corporate email systems without disrupting conventional file-sharing workflows.

    While no additional compliance requirements or regulatory obligations have been identified, Microsoft recommends that organizations review their internal processes to ensure that the update does not inadvertently affect their operations.

  • New Phishing Campaign Impersonates Ukrainian Police to Deliver Amatera Stealer and PureMiner

    Researchers at Fortinet FortiGuard Labs have uncovered a new cyber-attack campaign masquerading as communications from the National Police of Ukraine and employing an unusual malware delivery chain. The attackers dispatch emails with SVG attachments that trigger a multi-stage download sequence: first CountLoader, then the Amatera stealer, and finally a stealthy cryptocurrency miner named PureMiner.

    The intrusion sequence is layered and deliberate. Recipients receive a message ostensibly from Ukrainian law enforcement; the attachment is an SVG file embedding HTML that redirects the victim to a password-protected ZIP archive. Inside that archive sits a Windows CHM help file which, once opened, activates CountLoader. Previously observed by Silent Push, CountLoader has been used to deploy Cobalt Strike, AdaptixC2 and PureHVNC RATs; in this campaign it serves to deliver Amatera Stealer and PureMiner.

    Amatera Stealer is a derivative of ACRStealer: it harvests system fingerprints, exfiltrates files with targeted extensions, extracts credentials and data from Chromium- and Gecko-based browsers, and steals account information from Steam, Telegram, FileZilla and various cryptocurrency wallets.

    PureMiner, implemented in .NET, operates as a fileless process to mine cryptocurrency covertly. The malware employs obfuscation techniques such as ahead-of-time compilation with process-name spoofing or in-memory loading using PythonMemoryModule to evade detection.

    Of particular note is the provenance of the tooling: PureMiner and PureHVNC belong to a family attributed to an actor using the handle “PureCoder.” That suite also includes PureCrypter (which conceals .NET and native binaries), PureRAT (aka ResolverRAT, a successor to PureHVNC), PureLogs for data theft and logging, BlueLoader for converting infected hosts into a botnet, and PureClipper, which substitutes clipboard cryptocurrency addresses to hijack transfers.

    Fortinet stresses that abusing SVG files as a façade for HTML makes these campaigns especially insidious: recipients are unlikely to suspect a graphic file and so open the attachment without caution. In this instance, that very technique permitted the silent deployment of CountLoader and the subsequent installation of PureCoder’s stealth toolset.

  • AI-Powered Phishing: Microsoft Uncovers First-of-its-Kind Attack Using Generative Code Obfuscation

    Experts at Microsoft Threat Intelligence have documented an attack in which adversaries, for the first time, employed artificial intelligence to disguise phishing code, with the aim of stealing corporate credentials from U.S.-based companies.

    The malicious file, delivered in SVG format, concealed its true functionality beneath a veneer of pseudo-business terminology and the imitation of an analytics dashboard—an approach designed to bypass basic security checks. Analysis revealed that the code’s structure was atypical of manual programming and was most likely generated by a large language model.

    The phishing emails were distributed from a compromised corporate account, with the recipient field matching the sender, while the real addresses were hidden in BCC. The attachment mimicked a PDF but was, in reality, an SVG file containing embedded JavaScript. Once opened, it redirected victims to a CAPTCHA page, which, according to Microsoft, was intended to lead to a fraudulent login form designed to harvest passwords.

    The defining feature of the attack lay in its unusual obfuscation techniques. Within the SVG code were hidden elements labeled with names such as “Business Performance Dashboard”, rendered invisible through zero transparency. Furthermore, the malicious logic was disguised using a lexicon of business terms—“revenue,” “operations,” “dashboard,” “kpi,” and others—transformed into symbols and commands through a multi-layered algorithm. The script redirected browsers to a malicious resource, captured environmental fingerprints, and tracked sessions.

    Microsoft’s analysis concluded with high confidence that the code had been generated by AI. Indicators included excessively descriptive function names with hexadecimal suffixes, redundant modularity, repetitive logic blocks, bloated comments styled after business documentation, and the formalized use of XML constructs—all hallmarks of generative models.

    Despite the sophistication of the camouflage, the campaign was thwarted by Microsoft Defender’s cloud-based protections. Detection heuristics were triggered by multiple factors: suspicious use of BCC, self-addressed distribution, SVG attachments masquerading as PDFs, redirection to a known phishing domain (kmnl[.]cpfcenters[.]de), the presence of concealed logic, and evidence of session tracking.

    Microsoft emphasized that the adoption of AI does not negate the possibility of detection. On the contrary, synthetic code often leaves behind distinctive artifacts that defenders can exploit. The company recommends administrators enable Safe Links for URL scanning, activate Zero-hour Auto Purge to isolate already delivered emails, deploy browsers with SmartScreen protection, and enforce phishing-resistant multi-factor authentication via Microsoft Entra.

    This incident underscores that threat actors are already experimenting with neural networks to enhance stealth, yet it also demonstrates that AI-driven defense systems are equally capable of countering such campaigns effectively.

  • Anatomy of a Phishing Attack: How Hackers Are Weaponizing SVG Files

    Cybercriminals have launched a new wave of attacks that employ SVG files as carriers for phishing pages. According to researchers at VirusTotal, the attackers disguise themselves as representatives of the Colombian Prosecutor’s Office, distributing email attachments containing hidden JavaScript. Automated analysis revealed behaviors that antivirus engines failed to detect.

    Meanwhile, SWF files—a format considered obsolete since the deprecation of Flash in 2020—continue to surface in traffic. Over the course of 30 days, VirusTotal received 47,812 previously unseen unique SWF samples, 466 of which triggered detections by at least one antivirus engine. In one case, only 3 out of 63 scanners flagged suspicious traits and an old vulnerability, yet deeper inspection revealed a complex structure involving 3D rendering, audio, and an embedded level editor. Obfuscated classes, use of RC4/AES encryption, and system data collection appeared suspicious but ultimately aligned with anti-cheat and anti-modification logic. No malicious behavior was confirmed.

    SVG, however, represents the opposite end of the spectrum: an open standard for the web and design, and precisely for that reason, a prime choice for attackers. In the past 30 days alone, VirusTotal processed 140,803 unique SVG files, of which 1,442 raised at least one detection. One notable sample slipped past every engine undetected but, upon rendering, executed an embedded script that decoded and injected a phishing HTML page mimicking the Colombian judicial portal. To appear legitimate, the page simulated document loading with a progress bar while, in the background, a ZIP archive was fetched and forcefully offered for download. Sandbox analysis confirmed the deception: visual elements, case numbers, and “security tokens” were all present—yet it was nothing more than an SVG image.

    VirusTotal data indicates this is far from an isolated case. A query for type:svg mentioning Colombia uncovered 44 unique SVG files, none flagged by antivirus products, yet all employing the same tactics: obfuscation, polymorphism, and voluminous “junk” code to increase entropy. Embedded in the scripts were Spanish-language comments such as “POLIFORMISMO_MASIVO_SEGURO” and “Funciones dummy MASIVAS”—a clear weakness that could be leveraged for straightforward YARA signatures.

    A year-long search revealed 523 matches. The earliest, dated August 14, 2025, also originated from Colombia and initially evaded detection. Follow-up analysis confirmed the same phishing and hidden download scheme. Early samples were bulkier, around 25 MB, but later shrank in size, suggesting refinements to the payload. The delivery channel remained email, with metadata on senders, subject lines, and attachment names linking the campaign into a consistent chain of activity.