VirusTotal’s latest Code Insight update has uncovered a sophisticated Colombian malware campaign that exploited both legacy SWF and modern SVG file formats to bypass traditional antivirus detection systems.
The discovery highlights how attackers continue to leverage diverse file formats to distribute malware while evading security measures.
The campaign, discovered immediately after VirusTotal deployed Code Insight support for SWF and SVG formats, centers on SVG files that impersonate Colombia’s justice system.
Despite going completely undetected by all 63 antivirus engines, Code Insight’s analysis revealed the malicious nature of these files.
The attack begins with an SVG file containing embedded JavaScript that executes upon rendering. The script decodes and injects a Base64-encoded HTML phishing page designed to mimic official Colombian government judicial portals.
To enhance credibility, the fake portal simulates document downloads complete with progress bars, case numbers, and security tokens.
While users believe they’re accessing legitimate government documents, the malicious code simultaneously decodes a second Base64 string containing a ZIP archive and forces its download. This dual-layer approach combines convincing phishing tactics with malware distribution.
VirusTotal Intelligence searches using the query “type:svg AND codeinsight:’Colombian’” revealed 44 unique SVG files, all undetected by antivirus engines but flagged by Code Insight as part of the same campaign.
Analysis of the source code exposed sophisticated evasion techniques, including code obfuscation, polymorphism with slight variations per file, and large amounts of dummy code to increase entropy and avoid static detection.
Interestingly, attackers left Spanish-language comments in their scripts, including phrases like “POLIFORMISMO_MASIVO_SEGURO” and “Funciones dummy MASIVAS.”
While most code changed between samples, these comments remained consistent across files, providing a clear signature for detection rules.
A basic YARA rule targeting these consistent comments identified 523 additional samples over the past year through retrohunting. The earliest sample traced back to August 14, 2025, also submitted from Colombia with zero antivirus detections at the time.
The campaign also utilized SWF files, despite Adobe ending Flash support in 2020. VirusTotal received 47,812 unique SWF files in the last 30 days, with 466 flagged as malicious. Similarly, 140,803 unique SVG files were submitted, with 1,442 showing malicious detections—approximately 1% for both formats.
Code Insight’s ability to analyze both binary SWF files through decompilation and text-based SVG files through JavaScript extraction demonstrates the continued importance of supporting diverse file formats in security analysis, as attackers exploit both legacy and contemporary technologies to distribute malware effectively.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
