New SVG Phishing Malware Emerges with Advanced Anti-Analysis Techniques

South Korean security firm AhnLab has announced the discovery of a sophisticated new phishing malware that utilizes the SVG file format. This emerging threat incorporates multiple techniques specifically designed to circumvent security measures and resist analysis by researchers.

Advanced SVG Malware Evades Detection

On March 28, 2025, AhnLab revealed details about a newly discovered phishing malware that leverages Scalable Vector Graphics (SVG) format. What makes this malware particularly concerning is its arsenal of anti-analysis features that allow it to evade traditional security protections.

SVG is an XML-based vector image format commonly used across the web for icons, logos, and graphics. Because SVG files can incorporate CSS and JavaScript, threat actors are increasingly exploiting this functionality to embed malicious scripts within seemingly innocent image files.

Evolution of the Threat

AhnLab’s Security Intelligence Center (ASEC) had previously reported on SVG-format malware in November 2024, but this latest discovery demonstrates a significant evolution in sophistication and evasion techniques.

Deceptive Appearance

The malicious SVG files are disguised with business-related filenames to appear legitimate. Researchers have identified several examples of filenames used in active attacks:

• Play Voicemail Transcription.(387.KB).svg
• MT103_0296626389_.svg
• DOC217_3052.svg
• ATT78683.svg
• Access Document Remittance_RECEIPT6534114638.svg

Technical Mechanics

The latest SVG malware embeds Base64-encoded data within the src attribute of script tags. While this technique is typically used for embedding images in web pages, attackers are repurposing it to bypass security controls. When decoded, the embedded code contains malicious redirect URLs designed to lead users to fraudulent authentication pages.

Advanced Anti-Analysis Mechanisms

What makes this malware particularly sophisticated is its comprehensive set of anti-analysis features:

1. Automated Analysis Tool Detection

The malware checks the UserAgent of visitors and redirects to blank pages if it detects:

• Web drivers
• Automation tools (like PhantomJS)
• Proxy tools (like Burp Suite)

2. Keypress Blocking

To prevent security researchers from examining the code, the malware disables shortcut keys that would open developer tools.

3. Right-Click Prevention

The malware disables right-click functionality, making it harder for users to inspect elements or save content for analysis.

4. Debug Detection

Using the performance.now() function, the code measures execution time. If it detects delays that might indicate a debugger is present, it automatically redirects to a legitimate website to avoid scrutiny.

Attack Flow

When users manage to bypass these anti-analysis mechanisms and click the CAPTCHA authentication button, a GET request is sent to a specific URL, triggering additional malicious processes. While the exact details of the response remain unclear, researchers believe it likely leads to a phishing site impersonating Microsoft’s login page.

Growing Threat Landscape

SVG-format malware continues to evolve and increase in prevalence. These files are frequently distributed as email attachments, creating significant risk for organizations and individuals alike.

Recommended Security Measures

Security experts advise:

• Avoiding opening SVG files from unknown or suspicious sources
• Strengthening employee security awareness training
• Implementing advanced email filtering for SVG attachments
• Maintaining updated endpoint protection solutions
• Deploying behavioral analysis tools that can detect suspicious activities regardless of file format

As this threat continues to evolve, organizations should remain vigilant and ensure their security controls are equipped to detect and block these increasingly sophisticated attacks.