Email security, Phishing, Malware

SVG email attachment spreads Amatera Stealer, PureMiner malware

The Amatera Stealer infostealer and PureMiner cryptominer are being spread through an email campaign leveraging Scalable Vector Graphics (SVG) attachments to trick users into downloading the malware, Fortinet’s FortiGuard Labs reported Friday.

The campaign, targeting Ukrainian users, begins with emails claiming to come from the National Police of Ukraine warning of potential legal action against the victim if they ignore the attached notice.

SVG phishing to malware

The attachment, elektronni_zapit_NPU.svg, fetches a second SVG from an external website via an embedded HTML iframe element. This second SVG displays what appears to be an Adobe Acrobat Reader window loading the police notice and then presents the victim with a button to download the file.

The file is an archive containing a Compiled HTML Help (CHM) file with an embedded HTML file that itself contains a shortcut object that leads to the execution of a remote HTML application (HTA) resource.

This HTA file, which employs string encoding and array shuffling for obfuscation, is a malware loader known as CountLoader, which establishes a connection with the attacker’s command-and-control (C2) server and performs basic reconnaissance before loading the final payloads. CountLoader has also been used in Russian ransomware campaigns, Silent Push reported last week.

CountLoader ultimately retrieves two ZIP archives – ergosystem.zip and smtpB.zip – that contain the resources needed to deploy PureMiner and Amatera Stealer, respectively.

Attackers target cryptocurrency, files, application data

Both Amatera Stealer and PureMiner are deployed filelessly for increased stealth. Amatera Stealer is loaded directly into memory by a Python-based downloader contained in smtbB.zip using a legitimate open-source resource known as PythonMemoryModule.

For PureMiner, DLL sideloading is used to load an injector that decrypts and injects the PureMiner payload, implemented in .NET with Ahead-of-Time (AOT) compilation, into a legitimate process via process hollowing.   

Amatera Stealer is an infostealer that targets a range of information including basic system data, active processes, installed software, clipboard contents, desktop cryptocurrency wallets and files with certain extensions including .pdf, .docx, .xls and .jpg.

It also has the ability to collect screenshots, and specifically targets login data, cookies, wallet extensions and other sensitive data from Gecko-based and Chromium-based applications such as the Firefox browser, the Thunderbird email client, the Chrome browser and Discord. Steam, Telegram, FileZilla and AnyDesk details were also noted to be targeted by the stealer.

The PureMiner cryptominer supports both CPU-based and GPU-based mining and collects information about the victim’s machine prior to beginning mining operations. It uses APIs from the AMD Display Library and NVIDIA library to collect hardware specifications such as total and available memory and can also retrieve video adapter information from the system registry.

PureMiner sends this information to the attacker’s C2 server in an encrypted format and can perform additional tasks, such as checking for analysis tools like Process Hacker, in response to remote commands.

SVG attacks on the rise

SVG attachments are increasingly being used in email attacks, with Ontinue finding that the use of malicious SVGs rose by 40% in the first half of 2025.

SVG files may evade email security systems more effectively than more traditional phishing attachments, with Ontinue finding that SVG and IMG attachments made up 70% of attacks that bypassed secure email gateways.  

Another recent SVG attack targeting Latin American users was discovered by ESET to lead to deployment of the AsyncRAT backdoor.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds