![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![yaps[dot]chat - one-time end-to-end encrypted anonymous chats. now Open-Source!!](https://media2.dev.to/dynamic/image/width%3D1000,height%3D500,fit%3Dcover,gravity%3Dauto,format%3Dauto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1m7ads99lbphtyw35iah.png)
![[DEALS] Sterling Stock Picker: Lifetime Subscription (85% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
_Olekcii_Mach_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Some Pixel Tablet accessories we can’t live without [Video]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/10/Pixel-Tablet-Header.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![M4 MacBook Air Drops to New All-Time Low of $912 [Deal]](https://www.iclarified.com/images/news/97108/97108/97108-640.jpg)
![New iPhone 17 Dummy Models Surface in Black and White [Images]](https://www.iclarified.com/images/news/97106/97106/97106-640.jpg)
Threat Actors Using Weaponized SVG Files to Redirect Users to Malicious Websites
Phishing campaigns have evolved significantly in 2025, with threat actors increasingly leveraging unconventional file formats to bypass security solutions. A particularly concerning trend involves the weaponization of Scalable Vector Graphics (SVG) files, which are being embedded with malicious JavaScript code designed to redirect unsuspecting users to credential-harvesting websites. These attacks exploit the inherent flexibility of […] The post Threat Actors Using Weaponized SVG Files to Redirect Users to Malicious Websites appeared first on Cyber Security News.
Phishing campaigns have evolved significantly in 2025, with threat actors increasingly leveraging unconventional file formats to bypass security solutions.
A particularly concerning trend involves the weaponization of Scalable Vector Graphics (SVG) files, which are being embedded with malicious JavaScript code designed to redirect unsuspecting users to credential-harvesting websites.
These attacks exploit the inherent flexibility of SVG files while evading traditional detection mechanisms, allowing threat actors to successfully deliver phishing payloads to user inboxes.
SVG files, commonly used for legitimate web graphics purposes, are XML-based formats capable of rendering two-dimensional graphics.
Unlike traditional image formats, SVG files support embedded scripts, hyperlinks, and interactive elements, making them particularly versatile for both legitimate use and malicious exploitation.
Their growing popularity in web design and marketing materials has created an opportunity for attackers to abuse this format in sophisticated phishing campaigns.
Intezer researchers noted a significant increase in SVG-based attacks throughout early 2025, documenting multiple instances where these weaponized files successfully bypassed email protections.
According to their analysis, these malicious SVG files frequently appear as seemingly harmless email attachments that trigger no alerts from traditional security solutions.
“The flexibility of SVG files makes them an ideal candidate for evading security filters, as many security solutions do not deeply inspect SVG files for embedded JavaScript,” the research team reported.
The attack methodology involves embedding Base64-encoded JavaScript inside the SVG file, typically within or tags.
When a victim opens the SVG file, the encoded script executes, decodes itself, and silently redirects the user to a phishing site designed to harvest credentials.
What makes this technique particularly effective is the multi-layered obfuscation that conceals the malicious payload from static analysis engines.
Most concerning is the detection evasion success rate of these attacks. In multiple documented cases, malicious SVG files received zero detections on VirusTotal, allowing them to reach intended victims without triggering security alerts. This detection gap represents a significant blind spot in current email and endpoint security solutions.
Infection Mechanism and Obfuscation Techniques
The sophistication of SVG-based attacks lies in their encoding and obfuscation techniques.
When analyzing sample file b5a7406d5b4ef47a62b8dd1e4bec7f1812162433955e3a5b750cc471cbfad93e, Intezer researchers discovered an intricate multi-step obfuscation pattern designed to evade detection.
The malicious payload begins as Base64-encoded data within an iframe tag.
.png)
While the obfuscated JavaScript payload follows a sophisticated evasion pattern:-
var x3="w+z-w+z-w+z-aqxm-6zfqx-09z-73xq-7bzqx-31-0qz-dq6-axq-0z3-exqzxq-7ez-3z9-6cx-b8zxq-ac-f3zx";
x3=x3.replace(/[xqz]/g,"");
var y6="";
var xp=x3.split("-");
for(i=0;iThe script employs multiple layers of protection: string reversal, strategic insertion of junk characters that are programmatically removed, hexadecimal-to-ASCII conversion through a mathematical formula, and finally, URL reconstruction that redirects victims to a credential-harvesting page.
This complex approach ensures that traditional static analysis tools cannot easily identify the malicious behavior.
To counter these threats, Intezer has developed specialized analysis tools capable of deconstructing the obfuscation layers.
Their research depicts the need for deeper inspection of unconventional file formats and highlights how SVG files have become an increasingly common attack vector in the cybersecurity landscape of 2025.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post Threat Actors Using Weaponized SVG Files to Redirect Users to Malicious Websites appeared first on Cyber Security News.
.webp?#)
