Phishing, Threat Intelligence, Malware

AsyncRAT spread through malicious SVG files imitating web portals

Attackers are spreading the AsyncRAT remote access trojan through Scalable Vector Graphics (SVG) files that imitate government web portals, ESET reported Monday.

SVGs are vector image files written in eXtensible Markup Language (XML). SVG smuggling, a technique that was added to the MITRE ATT&CK framework earlier this year, takes advantage of SVG files’ ability to store scripts, links and interactive elements in addition to shapes, scalable graphics and text.  

ESET discovered a campaign, active since at least July 2025, that used SVG smuggling to ultimately download the AsyncRAT backdoor. The campaign primarily targeted users in Colombia with emails claiming to be about urgent legal matters.

If a victim clicked the SVG attachment, which was typically greater than 10 MB, the vector graphics file would open in their browser, appearing to be a page from a justice system website.

Rather than needing to set up and establish communication with an external domain, which could throw up red flags for security systems, the attacker included all the elements needed for the attack in the SVG file itself.  

The SVG “websites” display a progress bar before ultimately triggering an embedded ZIP archive to be assembled and downloaded via the user’s browser. If the victim runs the executable file inside the archive, expecting to find legal documents, AsyncRAT will be activated, and use DLL sideloading via a legitimate application to hide its malicious nature.

ESET found, from analyzing different samples from the same campaign, that the attacker added different randomized data to each malicious attachment. This adds another layer of evasion, making it more difficult to fingerprint and identify malicious files.

AI assistance is suspected to be involved in this campaign, as ESET analysts noted unusual features in the XML code of the SVGs that could be a side effect of large language model (LLM) use. These included “boilerplate” text included in the XML, blank fields, repetitive class names and invalid MD5 strings included as “verification hashes,” according to ESET.

Users are recommended to be especially wary of unsolicited SVG attachments, with ESET noting “no actual government agency will send you an SVG file as an email attachment.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds