SVG phishing campaign targets Ukraine

8•Stasshe•3mo ago

Fortinet’s FortiGuard Labs has published a detailed analysis of a phishing campaign targeting Ukrainian organizations. The attackers used an unusual SVG file as the initial infection vector, which ultimately led to the deployment of Amatera Stealer (information-stealing malware) and PureMiner (a stealth crypto-miner).

The SVG file triggered a password-protected archive containing a CHM file that launched a loader called “CountLoader,” enabling fileless execution, process hollowing, and DLL side-loading.

This combination of stealer + miner, delivered through an SVG-based chain, shows a growing sophistication in phishing campaigns, especially those aimed at critical sectors.

Full report: https://www.fortinet.com/jp/blog/threat-research/svg-phishing-hits-ukraine-with-amatera-stealer-pureminer

Comments

GamingAtWork•3mo ago

it seems like the SVG file/image contained an embedded link? And they clicked the link and got pulled into one of those scam websites asking you to install shit software viruses. It was not that the svg file just went crazy and hacked their entire machine...

Stasshe•3mo ago

Not exactly — it’s a bit more than just a link scam. The SVG actually started a multi-stage infection chain, downloading a password-protected archive with a malicious CHM/HTA that deployed Amatera Stealer and PureMiner. So it’s a real system compromise, not just a fake site trick.

SurceBeats•3mo ago

The sophistication here (SVG > CHM > fileless execution > dual payload) suggests access to commercial malware toolkits rather than bespoke APT development.

Stasshe•3mo ago

And, it might be taking longer to discover because it's hard to notice with SVG.

AppSecMaster – Learn Application Security with hands on challenges

Fibonacci Number Certificates

AI Overviews are killing the web search, and there's nothing we can do about it

City skylines need an upgrade in the face of climate stress

1979: The Model World of Robert Symes [video]

Satellites Have a Lot of Room

1980s Farm Crisis

Show HN: FSID - Identifier for files and directories (like ISBN for Books)

Show HN: Holy Grail: Open-Source Autonomous Development Agent

Show HN: Minecraft Creeper meets 90s Tamagotchi

Show HN: Termiteam – Control center for multiple AI agent terminals

The only U.S. particle collider shuts down

Ask HN: Why do purchased B2B email lists still have such poor deliverability?

Show HN: Remotion directory (videos and prompts)

Portable C Compiler

Show HN: Kokki – A "Dual-Core" System Prompt to Reduce LLM Hallucinations

Software Engineering Transformation 2026

Microsoft purges Win11 printer drivers, devices on borrowed time

Lunch with the FT: Tarek Mansour

Old Mexico and her lost provinces (1883)

'AI' is a dick move, redux

The source code was the moat. But not anymore

Does anyone else feel like their inbox has become their job?

An AI model that can read and diagnose a brain MRI in seconds

Dev with 5 of experience switched to Rails, what should I be careful about?

AlphaFace: High Fidelity and Real-Time Face Swapper Robust to Facial Pose

Scientists discover “levitating” time crystals that you can hold in your hand

Rammstein – Deutschland (C64 Cover, Real SID, 8-bit – 2019) [video]

Tell HN: Yet Another Round of Zendesk Spam

Postgres Message Queue (PGMQ)