FortiGuard Labs has recently uncovered a particularly concerning phishing campaign demonstrating how adversaries are weaponizing seemingly innocuous file formats to deliver devastating payloads. The campaign, which specifically targets Ukrainian government agencies and organizations, leverages Scalable Vector Graphics (SVG) files as the initial attack vector to deploy multiple malware variants in a complex, fileless attack chain.
Traditional phishing campaigns have long relied on malicious email attachments—typically Office documents, PDFs, or executables. However, this latest campaign marks a significant shift in tactics, utilizing SVG files as the primary delivery mechanism. SVG files, commonly used for web graphics and scalable images, present a unique security challenge because they can contain embedded HTML and JavaScript code while often bypassing traditional email security filters that focus on more conventional threat vectors.
According to the FortiGuard Labs research: "The phishing emails contain malicious Scalable Vector Graphics files designed to trick recipients into opening harmful attachments. When opened, the SVG initiates the download of a password-protected archive that contains a Compiled HTML Help (CHM) file."
The approach is particularly insidious because SVG files are generally perceived as benign image files, making recipients more likely to open them without suspicion. The use of graphics files as attack vectors represents a concerning trend that security professionals must be prepared to address.
The campaign employs highly-targeted social engineering tactics, with attackers crafting emails that impersonate the National Police of Ukraine. The phishing messages claim to be official notices requiring immediate attention, leveraging the current geopolitical climate to create urgency and legitimacy.
As detailed in the research: "The phishing campaign begins with a forged email claiming to be a notice from the National Police of Ukraine. The email includes a malicious SVG attachment.... The message states that an appeal has been submitted for review and warns that ignoring the notice could lead to further legal action."
"SVG files are challenging when it comes to security, because they can be interpreted in two modes: as images or as documents. When interpreted as images, they are relatively safe," said Lionel Litty, Chief Security Architect at Menlo Security. "However, when interpreted as documents, they can contain JavaScript and can perform many of the same actions as an HTML document. This includes making network requests, accepting user input, loading additional content via foreignObject, and triggering file downloads, as we see here."
Litty added, "Whether an SVG is handled as an image or a document depends on the context: which application opens it and, in a browser, how it is loaded. This ambiguity can create confusion and a false sense of security. To stay on the safe side, it is best to treat SVGs as active content that is similar to HTML rather than as an image format."
The targeting strategy is particularly concerning given the ongoing conflict in Ukraine and the heightened state of alert among Ukrainian organizations. The attackers are clearly exploiting the current security environment to increase the likelihood of successful infections.
The attack methodology demonstrates a sophisticated understanding of both technical exploitation and user psychology. The malicious SVG file contains embedded HTML code that presents victims with a convincing Adobe Reader interface, complete with a "Please wait, your document is loading..." message in Ukrainian. This spoofed interface automatically redirects victims to a download page and even displays the password needed to extract the malicious archive.
The technical complexity escalates from this initial deception. The downloaded CHM file contains a shortcut object that executes a remote HTML Application (HTA) file, dubbed "CountLoader" by the researchers. This loader serves as a command-and-control (C2) mechanism that can execute six different types of commands, including downloading additional payloads, performing domain reconnaissance, and covering its tracks.
What makes the campaign particularly dangerous is its deployment of two distinct malware variants: Amatera Stealer and PureMiner. This dual approach allows attackers to both harvest sensitive information and monetize compromised systems through cryptocurrency mining.
"Phishing continues to evolve. More than 70 percent of attachments that bypassed secure email gateways in the first half of 2025 were non-traditional formats such as SVG or IMG files, not the Office macros or executable payloads defenders may expect," said Rhys Downing, Threat Researcher at Ontinue. "Attackers are using these formats to embed scripts or redirects that lead victims directly into adversary-in-the-middle sites, harvesting both credentials and tokens in a single step."
Downing continued, "SVGs provide an effective delivery vehicle for client-side JavaScript, and spoofed emails reduce the friction required for successful execution. Security teams should prioritize the detection of dynamic script activity in non-traditional file types and review their controls for email-based file delivery. Security leaders cannot rely on past assumptions about phishing detection. Email defenses must be tuned to inspect emerging file types, and user education must reflect the reality that attackers will continue to innovate in how they package lures."
Amatera Stealer represents a significant threat to organizational security, with capabilities that extend far beyond traditional credential theft. The malware targets an extensive range of data types, including:
System information and hardware specifications
Browser credentials and cookies from both Gecko-based and Chromium-based applications
Cryptocurrency wallet data from numerous desktop wallets
Application data from popular services like Steam, Telegram, Discord, and Binance
File grabbing capabilities that collect documents, images, and other sensitive files
The research reveals the stealer's sophisticated approach to modern browser security. "The stealer uses two techniques to extract sensitive data: Legacy Cookie Decryption [and] App-Bound Encrypted (ABE) Data Decryption." The latter technique demonstrates the malware's ability to bypass Chrome's enhanced security measures by injecting shellcode into browser processes and leveraging COM APIs.
PureMiner complements the data theft capabilities with resource hijacking functionality. This .NET-based cryptominer conducts thorough hardware assessments before deployment, ensuring optimal mining performance while maintaining stealth. The malware "collects system information—particularly video adapter specifications and usage details—and can deploy CPU-based or GPU-based mining modules depending on the attacker's configuration."
Both malware variants employ fileless execution techniques, significantly complicating detection and forensic analysis. The research notes that "Amatera Stealer and PureMiner were deployed as fileless threats. They were executed via .NET Ahead-of-Time (AOT) compilation with process hollowing or loaded directly into memory using PythonMemoryModule."
The approach allows the malware to operate entirely in memory, leaving minimal forensic evidence and bypassing many traditional antivirus solutions that rely on file-based detection methods.
This campaign presents several critical lessons for cybersecurity professionals:
1. Expanding threat vectors: The use of SVG files as initial attack vectors highlights the need to reassess email security policies and filtering rules. Organizations should consider implementing more comprehensive content inspection that includes graphics files and embedded code analysis.
2. Geopolitical targeting: The specific targeting of Ukrainian organizations underscores the importance of threat intelligence that considers current geopolitical events. Organizations in conflict zones or areas of geopolitical tension should implement heightened security measures and increased user awareness training.
3. Multi-stage detection challenges: The complex, multi-stage nature of this attack chain emphasizes the limitations of point-in-time security solutions. Organizations need comprehensive security architectures that can detect and respond to threats across the entire attack lifecycle.
4. Fileless malware preparedness: The prevalence of fileless execution techniques in this campaign demonstrates the critical need for behavioral analysis and memory-based detection capabilities. Traditional signature-based security solutions are insufficient against these advanced threats.
To protect against similar campaigns, organizations should implement several key defensive measures, including implementing advanced email security solutions that can analyze embedded content in graphics files and detect suspicious redirections or downloads; conducting targeted security awareness training that specifically addresses the risks associated with official-looking communications during periods of heightened tension or conflict; deploying endpoint detection and response (EDR) solutions capable of identifying suspicious process behavior, memory anomalies, and fileless execution techniques; and implementing network segmentation to limit the potential impact of successful infections and prevent lateral movement.
Certis Foster, Senior Threat Hunter Lead at Deepwatch, broke down the latest attacks:
"From the looks of it, these attackers are moving beyond the typical office docs. SVG, CHM, and HTA files are being abused as phishing lures. If your email filters aren't scanning 'images,' I imagine you'll be blind to these types of attacks."
"This type of tradecraft is fileless and modular. Loaders like CountLoader can swap payloads on the fly, such as stealers, miners, or even worse. Defenses need to key in on behaviors and move away from static signatures."
"I see that these actors are attempting to secure a two-for-one deal with Amatera Stealer, targeting credentials, wallets, and app data, while PureMiner hijacks system resources. You should expect to encounter both data theft and cryptojacking in a single attack."
"They'll inevitably make a few OPSEC mistakes, though, to a defender's advantage. The campaign, which currently reuses configurations, mutexes, and young domains, gives us hunting hooks. Pivot on these if you can to stay proactive."
"I don't want the community to think that this campaign is targeted just for Ukraine. Don't dismiss this; they just haven't targeted the U.S. region yet, and I believe this type of tradecraft is definitely reusable. These techniques are portable and will resurface against U.S. orgs if you can get ahead of this now to expand detections and train your response teams."
"I believe this campaign highlights why behavioral detections, content disarm, and C2 hunting matter more than ever. SVG isn't just a picture anymore; at this point, it's an attack vector."
The Ukraine-targeted SVG phishing campaign represents a concerning evolution in cybercriminal tactics, combining sophisticated social engineering with advanced technical exploitation techniques. The use of graphics files as attack vectors, coupled with fileless malware deployment and dual payload strategies, creates a formidable threat that challenges traditional security approaches.
As FortiGuard Labs concludes in their research: "This phishing campaign demonstrates how a malicious SVG file can act as an HTML substitute to initiate an infection chain.... Together, these payloads enabled both data theft and resource hijacking in the targeted environment."