Fiscalía General de la Nación SVG phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A new SVG-based phishing campaign is using email-delivered files to bypass detection and impersonate Fiscalía General de la Nación, increasing the risk of credential theft and follow-on malware delivery. Researchers found 44 unique SVG files and 523 observed in the wild, showing the operation has reached broad distribution. The payload chain uses embedded JavaScript and a Base64-encoded HTML phishing page to mimic an official government document portal. The earliest sample dates to August 14, 2025, indicating an active and evolving operation.
Related Happenings
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
RelayNFC Android NFC relay malware targeting Brazilian banking users
Malware Activity
First: 03.12.2025 17:32
Last: 03.12.2025 17:32
Sources 1
About this happening:
The **RelayNFC** malware is actively targeting **Brazilian banking users** with **Android**-based **NFC relay attacks**, creating a path to steal contactless payment data and enab...
RelayNFC Android NFC relay malware targeting Brazilian banking users
Malware ActivityAbout this happening: The **RelayNFC** malware is actively targeting **Brazilian banking users** with **Android**-based **NFC relay attacks**, creating a path to steal contactless payment data and enab...
APT24 BadAudio multi-delivery espionage campaign
Campaign
First: 21.11.2025 00:12
Last: 21.11.2025 00:12
Sources 1
About this happening:
**APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
APT24 BadAudio multi-delivery espionage campaign
CampaignAbout this happening: **APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
UNC5142 EtherHiding WordPress stealer campaign
Campaign
First: 16.10.2025 17:52
Last: 16.10.2025 17:52
Sources 1
About this happening:
The **UNC5142** campaign is abusing **compromised WordPress sites** and **BNB Smart Chain** smart contracts to deliver **information stealers** to **Windows** and **macOS** users,...
UNC5142 EtherHiding WordPress stealer campaign
CampaignAbout this happening: The **UNC5142** campaign is abusing **compromised WordPress sites** and **BNB Smart Chain** smart contracts to deliver **information stealers** to **Windows** and **macOS** users,...
SVG phishing campaign impersonating Colombia's judicial system
Campaign
First: 06.09.2025 21:58
Last: 06.09.2025 21:58
Sources 1
About this happening:
A **phishing campaign** hidden in **SVG files** is using fake portals impersonating **Colombia's judicial system** to deliver malware and evade security detection. The operation e...
SVG phishing campaign impersonating Colombia's judicial system
CampaignAbout this happening: A **phishing campaign** hidden in **SVG files** is using fake portals impersonating **Colombia's judicial system** to deliver malware and evade security detection. The operation e...
Timeline
-
05.09.2025 09:13 1 articles · 8mo ago
Email-delivered SVG files impersonate Fiscalía General de la Nación
Campaign Scope UpdateEmail-delivered SVG files used embedded JavaScript to decode and inject a Base64-encoded HTML phishing page masquerading as Fiscalía General de la Nación, the Office of the Attorney General of Colombia; the earliest observed sample dates to August 14, 2025.
Show sources
- VirusTotal Finds 44 Undetected SVG Files Used to Deploy Base64-Encoded Phishing Pages — thehackernews.com — 05.09.2025 09:13
-
05.09.2025 09:13 2 articles · 8mo ago
VirusTotal identifies 44 undetected SVG phishing files impersonating Fiscalía General de la Nación
Initial DisclosureVirusTotal identified 44 unique SVG files targeting Fiscalía General de la Nación lures that remained undetected by antivirus engines because of obfuscation, polymorphism, and junk code; as many as 523 SVG files were seen in the wild, with earliest samples around 25 MB and shrinking over time.
Show sources
- VirusTotal Finds 44 Undetected SVG Files Used to Deploy Base64-Encoded Phishing Pages — thehackernews.com — 05.09.2025 09:13
- VirusTotal Finds 44 Undetected SVG Files Used to Deploy Base64-Encoded Phishing Pages — thehackernews.com — 05.09.2025 09:13