The campaigns, which use social engineering lures like ‘ToDoList’, ‘Missed Call’, and ‘Payment Reminder’, require no additional downloads or clicks as the script automatically decrypts within the victim’s browser.
Clever use of SVG for delivery
According to Ontinue researchers, initial access is gained through spoofed or impersonated email senders that deliver the malicious SVG either as a direct file attachment or via a link to an externally hosted image that appears harmless.
“Defenders must collapse the old distinction between code and content,” said Jason Soroko, senior fellow at Sectigo. “Treat every inbound SVG as a potential executable. Strip or block script tags.”
The SVG uses XOR-encrypted JavaScript, and once viewed in a browser, it decodes and runs a redirect to an actor-controlled final URL with Base64 encoding for victim tracking. Unlike typical malware, no files are dropped, no macros triggered, just pure browser-native execution. The stealthy delivery is possible due to security misconfigurations like missing DomainKeys Identified Mail (DKIM) or relaxed Domain-based Message Authentication, Reporting and Conformance (DMARC) policies, the email authentication protocols for protecting email spoofing and phishing.
