SVG Smuggling Emerges as a Stealthy Tactic in Phishing Campaigns
A newly observed phishing campaign is abusing SVG (Scalable Vector Graphics) files to execute browser-native redirects, allowing attackers to bypass traditional email security and malware detection systems. While SVGs are widely used and typically considered safe, they support embedded JavaScript, which is being exploited to hide obfuscated code within CDATA sections. Once the victim previews the image in a browser, often encouraged by minimalistic phishing emails, the script uses a static XOR key to decrypt itself, reconstructs a redirect command, and sends the user to a malicious URL. These redirection URLs often include tracking components and lead to credential phishing pages or further malware delivery infrastructure. The use of JavaScript inside the image file eliminates the need for dropped files or user-initiated actions, allowing the attack to execute entirely within the browser. These messages are sent from spoofed or misconfigured domains lacking strong DKIM, SPF, or DMARC protections, which helps them evade spam filters and appear trustworthy to recipients. The SVG files are either attached directly or linked via external sources, and the domains used to host them are often randomized, low-reputation, or subdomain-based to avoid detection by static filters. Attackers are targeting B2B service providers, including financial platforms, utility companies, and SaaS vendors, where stolen data or access can be monetized or leveraged for further attacks. Security experts warn that the attack’s sophistication lies in its ability to blend into standard workflows and evade behavioral monitoring tools. To counter these threats, defenders are urged to treat all SVGs as potentially executable content. Recommended controls include stripping script content from SVGs, enforcing strict email authentication policies, monitoring for suspicious browser behaviors such as window location changes triggered by image previews, and deploying layered protections, including safe link rewriting and content disarmament. This campaign represents a significant step forward in phishing tradecraft, utilizing trusted file types and browser-native execution to remain undetected.
Polyglot Files and PhantomRemote Backdoor Drive Phishing Campaigns
Recent phishing campaigns reveal an evolution in attacker tactics, with threat actors increasingly using polyglot files—files that can be interpreted as more than one format at once—to bypass email security filters. In one example, adversaries sent phishing emails from compromised corporate accounts with subject lines crafted to mimic legitimate business documents. Attached were [.]zip polyglot files containing both a decoy document and a DLL payload. These files also included a hidden ZIP archive that stored a Windows shortcut (LNK) file. When executed, the LNK file searched for the polyglot across specific directories and invoked it using rundll32[.]exe, targeting a malicious EntryPoint. A PowerShell command handled extraction and execution while ensuring minimal visibility through the use of hidden window parameters. A fake PDF was then created to maintain the appearance of a legitimate document, all while the malware executed silently in the background. The core of the attack is the PhantomRemote backdoor, which embeds its malicious logic within the DllMain function. It begins by collecting host information, generating a unique identifier, retrieving the computer and domain names, and creating a working directory in %PROGRAMDATA% named either “YandexCloud” or “MicrosoftAppStore.” The backdoor communicates with its command-and-control server over HTTP using custom User-Agent strings, transmitting system data and receiving commands, including shell execution or file downloads. Commands are processed using formats that include 'cmd:' or 'download:' followed by arguments and command IDs, with all results sent back via HTTP POST requests. The malware's sleep intervals and loop structures are designed to reduce detection while maintaining persistence. Its modularity allows attackers to expand its capabilities, including lateral movement and data theft. This campaign emphasizes the importance of strengthening defenses against disguised files, monitoring DLL execution through rundll32[.]exe, and inspecting outbound traffic for suspicious HTTP headers tied to unauthorized toolsets.
North Korean-Linked NimDoor Malware Targets macOS Users in Crypto Industry
Researchers have uncovered a new macOS malware campaign, known as NimDoor, linked to North Korea’s Stardust Chollima group. This campaign has been actively targeting Web3 and cryptocurrency organizations since at least April 2025. The campaign uses social engineering tactics, impersonating Zoom SDK updates to trick victims into executing malicious AppleScripts. Delivered through phishing emails, the payload installs two binaries: one C++-based module for decrypting and executing data theft components, and a Nim-compiled binary used to establish persistence. The malware is disguised using misleading process names, including “Google LLC,” and is configured to launch on startup via LaunchAgent plist entries. This marks a notable evolution in the group's tradecraft, with a rare use of Nim to bypass static analysis and integrate developer and runtime code, making detection more difficult. NimDoor surpasses traditional Mac threats by employing process injection for stealth, encrypted WebSocket (wss) communications for command-and-control, and a custom AppleScript beacon that checks in every 30 seconds. It can execute remote commands, exfiltrate process data, and includes a signal handler that reinstalls the malware if the process is terminated—an unprecedented persistence technique on macOS. Embedded Bash scripts collect sensitive data, including Keychain credentials, browser data from applications such as Chrome, Firefox, Arc, and Brave, as well as Telegram session information. Attackers often use distractions, including real Zoom meetings, to reduce suspicion during compromise. This campaign reflects the broader pattern of North Korean threat actors blending social engineering with technically advanced tooling to pursue financial objectives. The emergence of NimDoor highlights an expanding threat to macOS environments, particularly within the crypto sector, emphasizing the need for strong endpoint monitoring, source verification, and awareness of deceptive tactics across platforms, including Telegram.
Konfety Android Malware Evolves with ZIP Tampering and Runtime Obfuscation
Security researchers have uncovered a more sophisticated version of the Konfety Android malware, which now employs advanced ZIP structure manipulation to evade detection and mimic legitimate applications. Distributed via third-party sources, Konfety employs an "evil-twin" tactic—reusing package names of real apps from the Google Play Store to hide in plain sight. Key elements of the APK, including AndroidManifest[.]xml, are manipulated by enabling false encryption flags and declaring unsupported compression types. These modifications break tools, including JADX and APKTool, making reverse engineering difficult while still allowing the app to be installed normally on Android. The malware further evades detection by loading encrypted payloads at runtime, where a hidden DEX file defines undeclared components, including services and activities that are not visible in the main codebase. This stealth payload executes only after installation, bypassing static analysis. Konfety also integrates with the CaramelAds SDK to support ad fraud and covert operations, using the SDK to retrieve ads, download additional payloads, and establish communication with attacker-controlled servers. Although the SDK itself is not malicious, it serves as a conduit for deceptive behavior. Once active, the malware opens browser windows that redirect users to fraudulent websites, often pushing unauthorized app downloads or triggering persistent push notifications. These interactions degrade user experience and compromise device integrity. Telltale signs—like a distinctive user agreement popup and a unique @injseq regex—link Konfety to earlier campaigns. Attackers routinely rotate ad networks and obfuscation techniques to stay ahead of detection. With a mix of low-level ZIP tampering, delayed code execution, and deceptive app behaviors, Konfety reflects the increasing complexity of Android-based threats. Security teams are advised to adopt more advanced forensic tools, and users should avoid third-party APKs, monitor network traffic, and utilize Play Protect to defend against similar malware.
