Attackers Weaponizing SVG Files for Phishing and Malware Delivery
Threat actors have shifted toward using SVG files to distribute phishing malware, taking advantage of the format's ability to embed scripts while remaining visually harmless. These XML-based vector image files can contain JavaScript and CSS, which attackers are now using to hide malicious code inside Base64-encoded payloads. Once opened, the script triggers a redirect to external URLs that move the victim further down the phishing chain. These SVG files are disguised using convincing filenames—often mimicking voicemails, receipts, or financial documents—to trick users into opening them. Once the file is executed, it quietly connects to a redirect link, eventually leading to a spoofed login or phishing page designed to capture sensitive data like usernames and passwords. To avoid detection and slow down security research, the attackers use a mix of anti-analysis techniques. The scripts check if security tools like PhantomJS or web debugging proxies are being used, and if detected, they serve blank or benign pages to avoid suspicion. Key functions like F12 for developer tools, Ctrl+U for viewing page sources, and right-clicking are blocked to prevent further inspection. They also monitor the script’s execution speed to detect if it’s being analyzed in a debugger, switching to a clean page version if anything unusual is detected. Victims are often presented with a fake CAPTCHA screen as a distraction while the malware sends hidden requests or loads a fake Microsoft login page. This method is becoming more common due to its ability to bypass traditional file scanning and email filters, making it important to avoid opening SVG attachments unless fully verified.
Android Banking Malware Getting Smarter and Harder to Detect
Two new Android malware families—TsarBot and Crocodilus—are raising the bar for mobile threats, targeting banking, cryptocurrency, and financial apps with highly deceptive tactics. TsarBot has already set its sights on over 750 apps globally, using fake login screens that appear on top of legitimate apps to trick users into entering sensitive information. Once installed, often disguised as Google Play Services, it can record screens, take remote control of the device, and even simulate swipes and taps while hiding its actions behind a black screen. The malware communicates with its command server in real-time, allowing it to respond dynamically and steal login credentials, credit card details, and other personal data. It even captures PINs through fake lock screens and can interact directly with popular banking and crypto apps, targeting users across North America, Europe, Asia-Pacific, and the Middle East. Crocodilus, although newer, is equally dangerous and focuses more heavily on stealing cryptocurrency wallet seed phrases. It tricks users through a fake warning that urges them to “back up” their wallet key within 12 hours or risk losing access. By guiding victims to the wallet’s seed phrase and using Accessibility Services to log the text, the malware silently hands the attacker full control of the wallet. Distributed through fake apps or malicious websites, Crocodilus operates under the radar by bypassing Android’s built-in security and avoiding detection from tools like Google Play Protect. It can take over devices remotely, send messages, access two-factor authentication codes, and lock the screen while performing hidden actions. Though it has primarily been seen in Spain and Turkey, its features suggest it can expand quickly. While there's no evidence they are directly related, they share similar goals and techniques. Both are Android banking Trojans using overlays and Accessibility Service abuse to steal credentials, gain control of devices, and avoid detection. However, TsarBot has a broader focus, targeting hundreds of financial and e-commerce apps worldwide. At the same time, Crocodilus is more specialized, with a sharp focus on cryptocurrency theft by tricking users into exposing their wallet seed phrases. Both threats underline the importance of avoiding apps from unknown sources and keeping device protections enabled at all times.
Fake Zoom Installer Used to Deploy BlackSuit Ransomware in Multi-Stage Attack
Cybersecurity analysts have uncovered a detailed ransomware campaign where attackers disguised a malicious installer as Zoom software to infect Windows systems. Victims were lured through a fake Zoom website that closely mimicked the official interface, prompting them to download what appeared to be a legitimate installer named “Zoom_v_2.00.4[.]exe.” Once launched, the file silently triggered a chain of malware actions while installing a real Zoom version to avoid raising suspicion. The installer acted as a delivery system for multiple tools, starting with a downloader called “d3f@ckloader,” which ran scripts to disable Windows Defender and quietly fetch more malicious files from online platforms. The attack unfolded in stages over nine days, beginning with the deployment of SectopRAT, a remote access tool that embedded itself into Windows processes and stayed inactive to evade detection. Once activated, it brought in additional tools, including Brute Ratel and Cobalt Strike, allowing attackers to move across the network, steal credentials, and access sensitive systems. They used remote access tools and tunneling to stay connected and eventually compressed stolen files using WinRAR before sending them off-site. In the final phase, BlackSuit ransomware was launched across multiple systems using PsExec, wiping out backups and encrypting all files. The attack ended with ransom notes demanding payment. This campaign highlights how convincing fake installers can be the entry point for highly coordinated attacks. Users should only download software from trusted sources, maintain strong security practices, and ensure systems are regularly backed up to minimize the impact of ransomware threats.
