(*44*)Cybersecurity researchers have flagged a brand new malware marketing campaign that has leveraged Scalable Vector Graphics (SVG) information as a part of phishing assaults impersonating the Colombian judicial system.
(*44*)The SVG information, in accordance to VirusTotal, are distributed by way of electronic mail and designed to execute an embedded JavaScript payload, which then decodes and injects a Base64-encoded HTML phishing web page masquerading as a portal for Fiscalía Normal de la Nación, the Workplace of the Lawyer Normal of Colombia.
(*44*)The web page then simulates an official authorities doc obtain course of with a pretend progress bar, whereas it stealthily triggers the obtain of a ZIP archive within the background. The precise nature of the ZIP file was not disclosed.
(*44*)The Google-owned malware scanning service stated it discovered 44 distinctive SVG information, all of which have remained undetected by antivirus engines, owing to using methods like obfuscation, polymorphism, and enormous quantities of junk code to evade static detection strategies.
(*44*)In all, as many as 523 SVG information have been detected within the wild, with the earliest pattern courting again to August 14, 2025.
(*44*)”Wanting deeper, we noticed that the earliest samples have been bigger, round 25 MB, and the dimensions decreased over time, suggesting the attackers have been evolving their payloads,” VirusTotal stated.
(*44*)The disclosure comes as cracked variations of official software program and ClickFix-style techniques are getting used to lure customers into infecting their Apple macOS techniques with an info stealer known as Atomic macOS Stealer (AMOS), exposing companies to credential stuffing, monetary theft, and different follow-on assaults.
(*44*)”AMOS is designed for broad information theft, able to stealing credentials, browser information, cryptocurrency wallets, Telegram chats, VPN profiles, keychain objects, Apple Notes, and information from frequent folders,” Development Micro said. “AMOS exhibits that macOS is not a peripheral goal. As macOS gadgets acquire floor in enterprise settings, they’ve turn out to be a extra engaging and profitable focus for attackers.”
(*44*)The assault chain primarily includes focusing on customers searching for cracked software program on websites like haxmac[.]cc, redirecting them to bogus obtain hyperlinks that present set up directions designed to trick them into operating malicious instructions on the Terminal app, thus triggering the deployment of AMOS.
(*44*)It is value noting that Apple prevents the set up of .dmg information missing correct notarization due to macOS’s Gatekeeper protections, which require the applying packages to be signed by an recognized developer and notarized by Apple.
(*44*)”With the discharge of macOS Sequoia, makes an attempt to set up malicious or unsigned .dmg information, reminiscent of these utilized in AMOS campaigns, are blocked by default,” the corporate added. “Whereas this does not eradicate the chance completely, particularly for customers who might bypass built-in protections, it raises the barrier for profitable infections and forces attackers to adapt their supply strategies.”
(*44*)This is the reason menace actors are more and more banking on ClickFix, because it permits the stealer to be put in on the machine utilizing Terminal by way of a curl command specified within the software program obtain web page.
(*44*)”Whereas macOS Sequoia’s enhanced Gatekeeper protections efficiently blocked conventional .dmg-based infections, menace actors shortly pivoted to terminal-based set up strategies that proved more practical in bypassing safety controls,” Development Micro stated. “This shift highlights the significance of defense-in-depth methods that do not rely solely on built-in working system protections.”
(*44*)The event additionally follows the invention of a “sprawling cyber marketing campaign” that is focusing on avid gamers looking out for cheats with StealC stealer and crypto theft malware, netting the menace actors greater than $135,000.
(*44*)Per CyberArk, the exercise is notable for leveraging StealC’s loader capabilities to obtain further payloads, on this case, a cryptocurrency stealer that may siphon digital property from customers on contaminated machines.
