SWF and SVG have shown that old technologies can still bypass security.
Cybercriminals have launched a new wave of attacks using SVG files to deliver phishing pages. Specialists at VirusTotal reported that the attackers are masquerading as the Colombian Prosecutor's Office, distributing email attachments containing hidden JavaScript. Automated analysis revealed behavior that antivirus programs failed to detect.SWF, a formally "dead" format since the shutdown of Flash in 2020, continues to appear in traffic. Over 30 days, 47,812 previously unknown unique SWF files were submitted to VirusTotal, and 466 of them triggered at least one antivirus engine. In one case, only 3 out of 63 detections indicated "suspicious" signs and an old vulnerability, but a detailed analysis revealed a complex program featuring 3D rendering, sound, and a built-in level editor. Obfuscated classes, the use of RC4/AES, and the collection of system information looked alarming, yet were consistent with the logic of anti-cheat and anti-modification protection. No malicious behavior was found.
SVG is the opposite in spirit and era: an open standard for the web and design. This is precisely why threat actors prefer it. Over the last 30 days, VirusTotal received 140,803 previously unknown unique SVG files, of which 1,442 were flagged by at least one engine. One sample was not detected by any engine, but when rendered, it executed an embedded script that decoded and embedded a phishing HTML page mimicking the Colombian judicial system portal. For plausibility, the page simulated document loading with a progress bar, while a ZIP archive was downloaded in the background and forcibly offered for download. The behavior was confirmed in a sandbox: visual elements, case numbers, "security tokens"—all were present, even though it was just an SVG image.
According to VirusTotal, this is not an isolated case. A search query like type:svg mentioning Colombia returned 44 unique SVGs, all with no antivirus detections but using the same tactics: obfuscation, polymorphism, and voluminous "junk" code to increase entropy. However, the scripts contained Spanish-language comments like "POLIFORMISMO_MASIVO_SEGURO" (Massive Secure Polymorphism) and "Funciones dummy MASIVAS" (Massive Dummy Functions)—a weak spot suitable for a simple YARA signature.
A search over the past year yielded 523 matches. The earliest sample is dated August 14, 2025, also uploaded from Colombia, and also passed without any detections. Re-analysis confirmed the same phishing and hidden download scheme. Early instances were larger—around 25 MB—then the size decreased, indicating payload refinement. The delivery channel is email, which allowed linking the campaign through sender metadata, email subjects, and attachment names.