Weaponizing SVG: How Threat Actors Embed Malicious JavaScript in Vector Files

Cybersecurity researchers have identified an emerging attack campaign where threat actors are weaponizing Scalable Vector Graphics (SVG) files to deliver sophisticated JavaScript-based redirect attacks.

This technique exploits the inherent trust placed in image formats, allowing malicious actors to embed obfuscated JavaScript within seemingly harmless vector graphics files that execute automatically when opened in web browsers.

Cybercriminals Exploit Trusted Image Format

The attack methodology centers on embedding malicious JavaScript code within SVG files using CDATA sections, which are typically used for legitimate purposes in XML-based formats.

The embedded scripts utilize static XOR encryption keys to decrypt secondary payloads at runtime, subsequently reconstructing and executing redirect commands through the Function() constructor.

The final malicious URLs are assembled using the atob() function and include Base64-encoded strings that serve dual purposes as victim tracking tokens and correlation identifiers for the attackers’ infrastructure.

What makes this campaign particularly insidious is its ...