Hackers Weaponize SVG & Office Files to Target Windows

Alright, so cybersecurity researchers have just uncovered a pretty sophisticated email campaign. And it’s definitely something to pay attention to. This campaign is deploying a commodity loader to distribute some seriously nasty stuff: we’re talking Remote Access Trojans and information stealers.

The operation primarily targets manufacturing and government organizations across Italy, Finland, and Saudi Arabia, using highly evasive techniques.

Multi-Vector Attack Strategy

The campaign employs multiple infection methods to compromise Windows systems. Threat actors are distributing weaponized Microsoft Office documents that exploit CVE-2017-11882, a critical memory corruption vulnerability in the Equation Editor component.

Additionally, attackers leverage malicious SVG files and ZIP archives containing LNK shortcuts, all converging on a unified commodity loader infrastructure.

The attacks begin with targeted phishing emails masquerading as legitimate Purchase Order communications from business partners.

These deceptive messages contain RAR archives hiding first-stage JavaScript payloads designed to bypass initial security screening.

The malware operates through a sophisticated four-stage execution pipeline engineered to evade detection.

The initial JavaScript file contains heavily obfuscated code that dynamically reconstructs malicious strings using split and join operations. Upon execution, it creates a hidden PowerShell process using Windows Management Instrumentation objects.

The second stage retrieves a malicious PNG image from legitimate hosting services such as Archive.org.

This image contains steganographically embedded base64-encoded .NET assemblies hidden at the end of the file. The PowerShell script extracts this payload using a regular expression. It loads it directly into memory without writing to disk.

In the third stage, attackers weaponize the legitimate open-source TaskScheduler library from GitHub.

By appending malicious functions to the source code and recompiling it, they create a trojanized assembly that retains an authentic appearance while embedding malicious capabilities.

The final stage employs process injection techniques, creating a suspended RegAsm.exe process and injecting the decoded payload into its memory space.

This process hollowing allows malware to masquerade as legitimate Windows utilities while executing malicious code.

Payload Delivery and Capabilities

The campaign delivers various information-stealing tools and RATs, including PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos.

The PureLog Stealer payload is decrypted using Triple DES encryption in CBC mode before being invoked to exfiltrate sensitive data, including browser credentials, cryptocurrency wallet information, and comprehensive system details.

Researchers at Cyble Research and Intelligence Labs (CRIL) identified a novel User Account Control (UAC) bypass technique in which malware monitors system process-creation events and opportunistically triggers UAC prompts during legitimate launches, tricking users into granting elevated privileges.

Cross-campaign analysis reveals standardized methodology across multiple threat actors, suggesting the loader operates as a shared delivery framework.

Research from Seqrite, Nextron Systems, and Zscaler documented identical class naming conventions and execution patterns across various malware families, confirming the widespread availability of this infrastructure.

Organizations should implement enhanced email filtering, disable legacy Office equation editor components, scrutinize image attachments, and monitor for suspicious PowerShell activity to mitigate these sophisticated threats.