Cybersecurity researchers have flagged a brand new malware marketing campaign that has leveraged Scalable Vector Graphics (SVG) information as a part of phishing assaults impersonating the Colombian judicial system.
The SVG information, in keeping with VirusTotal, are distributed through e-mail and designed to execute an embedded JavaScript payload, which then decodes and injects a Base64-encoded HTML phishing web page masquerading as a portal for Fiscalía Normal de la Nación, the Workplace of the Lawyer Normal of Colombia.
The web page then simulates an official authorities doc obtain course of with a pretend progress bar, whereas it stealthily triggers the obtain of a ZIP archive within the background. The precise nature of the ZIP file was not disclosed.
The Google-owned malware scanning service mentioned it discovered 44 distinctive SVG information, all of which have remained undetected by antivirus engines, owing to using methods like obfuscation, polymorphism, and enormous quantities of junk code to evade static detection strategies.
In all, as many as 523 SVG information have been detected within the wild, with the earliest pattern courting again to August 14, 2025.
“Wanting deeper, we noticed that the earliest samples have been bigger, round 25 MB, and the dimensions decreased over time, suggesting the attackers have been evolving their payloads,” VirusTotal mentioned.
The disclosure comes as cracked variations of professional software program and ClickFix-style techniques are getting used to lure customers into infecting their Apple macOS programs with an data stealer known as Atomic macOS Stealer (AMOS), exposing companies to credential stuffing, monetary theft, and different follow-on assaults.
“AMOS is designed for broad information theft, able to stealing credentials, browser information, cryptocurrency wallets, Telegram chats, VPN profiles, keychain objects, Apple Notes, and information from widespread folders,” Development Micro mentioned. “AMOS reveals that macOS is not a peripheral goal. As macOS gadgets acquire floor in enterprise settings, they’ve develop into a extra enticing and profitable focus for attackers.”
The assault chain primarily includes focusing on customers on the lookout for cracked software program on websites like haxmac[.]cc, redirecting them to bogus obtain hyperlinks that present set up directions designed to trick them into working malicious instructions on the Terminal app, thus triggering the deployment of AMOS.
It is value noting that Apple prevents the set up of .dmg information missing correct notarization because of macOS’s Gatekeeper protections, which require the applying packages to be signed by an recognized developer and notarized by Apple.
“With the discharge of macOS Sequoia, makes an attempt to put in malicious or unsigned .dmg information, similar to these utilized in AMOS campaigns, are blocked by default,” the corporate added. “Whereas this does not eradicate the danger fully, particularly for customers who could bypass built-in protections, it raises the barrier for profitable infections and forces attackers to adapt their supply strategies.”
That is why menace actors are more and more banking on ClickFix, because it permits the stealer to be put in on the machine utilizing Terminal by way of a curl command specified within the software program obtain web page.
“Whereas macOS Sequoia’s enhanced Gatekeeper protections efficiently blocked conventional .dmg-based infections, menace actors shortly pivoted to terminal-based set up strategies that proved simpler in bypassing safety controls,” Development Micro mentioned. “This shift highlights the significance of defense-in-depth methods that do not rely solely on built-in working system protections.”
The event additionally follows the invention of a “sprawling cyber marketing campaign” that is focusing on avid gamers looking out for cheats with StealC stealer and crypto theft malware, netting the menace actors greater than $135,000.
Per CyberArk, the exercise is notable for leveraging StealC’s loader capabilities to obtain further payloads, on this case, a cryptocurrency stealer that may siphon digital property from customers on contaminated machines.
