Hackers Exploit SVG Files with Embedded JavaScript to Deploy Malware on Windows Systems

Threat actors are increasingly using Scalable Vector Graphics (SVG) files to get beyond traditional defenses in the quickly developing field of cybersecurity.

Unlike raster formats such as JPEG or PNG, which store pixel-based data, SVGs are XML-structured documents that define vector shapes, paths, and text, enabling seamless scalability.

This inherent flexibility, however, permits the embedding of executable JavaScript code, which can activate upon rendering in a web browser a default behavior on many Windows systems.

According to Seqrite report, attackers exploit this by distributing malicious SVGs through spear-phishing emails or cloud storage platforms like Dropbox, Google Drive, or OneDrive, often evading email security gateways due to their innocuous appearance.

SVG as a Vector for Phishing

The attack chain typically initiates with a deceptive email attachment, such as one disguised as “Upcoming Meeting.svg” or “Your-to-do-List.svg,” accompanied by compelling subject lines like “Reminder for your Scheduled Event ...