“Who do you trust when the envelope itself is the weapon?” That unsettling question now hangs over ministries, aid groups and ordinary citizens in Ukraine and Vietnam after researchers exposed a phishing campaign that weaponizes SVG files to deliver a chain of malware culminating in PureRAT. The discovery underscores how a common, innocuous image format can become the first step in a sophisticated, multilayered intrusion.
Why SVG files became the attacker’s weapon of choice
Scalable Vector Graphics (SVG) files are XML-based images widely supported across browsers, email clients and document viewers. Their flexibility — the ability to embed scripts, reference external resources, and include interactive elements — makes them useful for legitimate design and web use. Those same features, however, also create an attractive attack surface. In this campaign, attackers exploited SVG files to bypass naive defenses and socially engineer recipients into initiating a download chain that ultimately installs CountLoader, Amatera Stealer, PureMiner and PureRAT.
Fortinet FortiGuard Labs researcher Yurren Wan detailed the campaign in a report shared with The Hacker News. Attackers impersonated Ukrainian government agencies and tailored spear-phishing messages so the SVG attachment looked legitimate. When a recipient opened the file, the embedded content launched CountLoader, a downloader that fetched additional modules. Those secondary payloads included Amatera Stealer for credential theft, PureMiner for covert cryptocurrency mining, and PureRAT, a remote access trojan that established persistent control over compromised hosts.
This staged approach — lure, loader, modular payloads, persistence — maximizes both stealth and return on investment for attackers. A single carefully crafted SVG file can set off a cascade of infections that result in data exfiltration, credential compromise, and unauthorized use of computing resources.
Geography and motivation: why Ukraine and Vietnam were targeted
The campaign’s focus on Ukraine and Vietnam is instructive. Ukraine has long been targeted in cyber operations tied to regional and geopolitical tensions; impersonating government agencies there increases the likelihood a user will trust and open a file. Vietnam’s rapidly expanding digital economy, varied cybersecurity maturity across organizations, and a growing online population make it an attractive target for opportunistic and financially motivated groups. The mix of targets suggests an operation blending intelligence collection with illicit monetization like credential theft and cryptomining.
What defenders should watch for
This campaign demonstrates several persistent lessons for defenders:
– Treat rendering engines and attachment types as part of the attack surface. SVG files can execute or reference code; blocking or sanitizing them at gateways reduces risk.
– Monitor for CountLoader behaviors and indicators associated with Amatera Stealer, PureMiner and PureRAT. Network-based detection of unusual outbound connections, command-and-control beaconing, and large unexplained CPU usage (sign of cryptomining) can speed detection.
– Use secure rendering sandboxes for email attachments and document previews. Sandboxing that fully isolates potentially scriptable formats is critical to preventing embedded code from executing on endpoints.
– Implement robust email authentication (DMARC, DKIM, SPF) and display sender provenance clearly to recipients, so suspicious or spoofed senders are easier to spot.
Operational and policy recommendations
For policymakers and administrators, the incident highlights actionable steps:
– Update guidance and procedures for official communications to minimize use of scriptable file formats in email and public outreach.
– Harden inter-agency mail handling with stricter attachment policies and automated sanitization.
– Sponsor public-awareness and training campaigns so citizens and staff verify unusual requests through independent channels rather than trusting an attachment at face value.
– Support basic cybersecurity hygiene for international partners and local institutions in conflict-affected areas. Simple controls can prevent breaches that escalate into operational or diplomatic incidents.
Simple but effective user practices
For everyday users, the core advice remains straightforward and essential:
– Treat attachments — even image files — with suspicion if they arrive unexpectedly, especially from government or organizational senders.
– Confirm unusual requests via a different channel (phone call, official website) before opening attachments or following embedded links.
– Disable automatic rendering of complex file types in mail clients when possible and keep systems and anti-malware tools up to date.
The attacker’s economy of effort
From the adversary’s perspective, this campaign is efficient: social engineering reduces the cost of compromise, SVG files often bypass naive defenses, and modular payloads multiply the payoff from a single click. That economy of effort makes similar campaigns likely to persist and evolve unless both technical and human defenses adapt.
Conclusion: treat every file as a potential vector
The Fortinet report, amplified by The Hacker News coverage, delivers a clear warning: even an image can be a weapon. SVG files, because they can carry scripts and external references, are a realistic vector for serious intrusions. Defenders must incorporate attachment types into threat models, organizations should tighten policies and user training, and individual users must adopt cautious habits. Are we prepared to treat every seemingly benign file as a potential vector — and to build systems and behaviors that reflect that reality? The persistence of campaigns like this one suggests the answer must be yes.




