Weaponized SVGs: Inside a global phishing campaign targeting financial institutions

Throughout 2025, IBM X-Force has been tracking a phishing campaign targeting financial institutions worldwide. This operation leveraged weaponized Scalable Vector Graphics (SVG) files embedded with JavaScript to initiate multi-stage malware infections. While the use of SVGs in phishing is not new, recent reporting indicates a notable rise in this tactic, signaling a broader shift in the threat landscape.

This campaign goes beyond traditional credential harvesting—employing advanced loaders, modular Remote Access Trojans (RATs), and trusted infrastructure like Amazon S3 and Telegram for command-and-control (C2). The activity showcases how attackers are evolving phishing techniques into full-scale initial access operations.

• Weaponized SVGs as initial access: Threat actors are using SVG files embedded with JavaScript to bypass traditional security filters and initiate multi-stage malware infections.
• Finance sector targeting: The campaign uses SWIFT-themed lures to impersonate trusted financial communication, specifically targeting financial institutions across multiple regions.
• Java-based malware delivery: When executed, the SVG-embedded JavaScript drops a ZIP archive containing a JavaScript file that is used to download a Java-based loader. If Java is present, it deploys modular malware including Blue Banana RAT, SambaSpy, and SessionBot.
• Advanced evasion tactics: The malware performs anti-analysis checks and environmental validation to ensure execution only in non-sandboxed, real-user environments.
• Abuse of legitimate infrastructure: Payloads and C2 communications are routed through Amazon S3 and Telegram, helping the activity blend into normal enterprise traffic and evade detection.
• Emerging tradecraft trend: This campaign reflects a broader shift in phishing techniques, where attackers increasingly abuse non-traditional file formats like SVG for malware delivery.

X-Force analysis uncovered a global phishing campaign leveraging SVG files as the initial attack vector. These files, disguised as financial transaction documents, contain embedded JavaScript that writes a ZIP archive to the system. Within the archive, a JavaScript file initiates a malware infection chain—ultimately deploying RATs such as Blue Banana, SambaSpy and SessionBot. These payloads are designed for credential theft, session hijacking, surveillance, and data exfiltration, posing significant risks to targeted organizations.

The malware communicates via Amazon S3 and the Telegram Bot API, blending into legitimate traffic and complicating detection efforts. By using a file format rarely scrutinized in phishing filters, the campaign bypasses traditional defenses with ease.

This approach reflects an emerging pattern across recent OSINT reporting, technical blogs and industry analysis, highlighting how SVGs are increasingly abused to embed malware loaders and redirect victims to malicious content.

Notably, the campaign’s use of SWIFT-themed lures—referencing the Society for Worldwide Interbank Financial Telecommunication (SWIFT), the global network used by financial institutions for secure messaging—suggests a deliberate focus on victims in the finance sector.

This activity illustrates a broader trend in phishing tradecraft: attackers are moving beyond credential theft into delivering advanced malware using creative, low-profile vectors. Defenders should adapt detection logic and employee training accordingly—recognizing that even innocuous file types like SVGs can now act as malware delivery platforms.

Unlike typical phishing campaigns that aim for credential theft through spoofed login pages, this campaign transitioned from lure to loader, turning what appeared to be an image file into the starting point for a multi-stage malware infection chain.

The campaign’s initial access phase involved phishing emails impersonating SWIFT Global Services, urging recipients to review time-sensitive payment or transfer confirmations. The attached file, presented as a legitimate document, was a weaponized SVG containing JavaScript.

Once rendered, the victim is enticed to download a report which appears to be a PDF file; however, selecting either PDF will trigger the JavaScript to save a ZIP archive file to the system.

Once the archive is extracted and unzipped, victims find a file named Swift Transaction Report.js that contains obfuscated JavaScript. The script was designed to evade detection using Unicode escape encoding and string concatenation techniques. Executing the script will trigger the download of a heavily obfuscated Java Archive (JAR) file, such as Swift Confirmation Copy.jar and Tranzacție+în+USD-pdf.jar. These acted as first-stage downloaders, leveraging obfuscators like Branchlock and Zelix KlassMaster to evade static and behavioral analysis.

IBM X-Force analyzed some SVG samples that dropped the JAR downloader instead of the ZIP file containing the JavaScript, bypassing a stage of the infection chain.

If the target system had the Java Runtime Environment (JRE) installed, the loader executed and initiated a series of environmental checks to detect sandboxing or analysis tools. These included inspecting system processes, entropy and virtualization indicators. Only after validating a real-user environment did the malware attempt to retrieve second-stage payloads.

To do so, it reached out to attacker-controlled Amazon S3 buckets, blending malicious downloads into otherwise trusted cloud service traffic. Some variants embedded the encrypted payloads inside benign-looking decoy files to further reduce the likelihood of detection during transfer.

Once evasion checks were passed, the loader established outbound connections to attacker-controlled Amazon S3 buckets to retrieve encrypted second-stage payloads. The use of cloud-based infrastructure added complexity to detection efforts, as traffic to services like amazonaws.com often blends in with normal enterprise activity.

Payloads were observed being downloaded from:

• octupusgreat.s3.us-east-1.amazonaws[.]com
• seasongretting.s3.eu-west-1.amazonaws[.]com
• seasonmonster.s3.us-east-1.amazonaws[.]com

Upon decryption and unpacking, the malware wrote files to key persistence locations, including:

• %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\ — ensuring execution upon user login
• %AppData%\Microsoft\Vault\cred\ — suspected to be used for staging decoy files and storing exfiltrated data

In addition to file-based persistence, some variants registered scheduled tasks or modified registry autorun keys to maintain access across system reboots. Several samples also delayed execution or gated functionality based on user interaction, further complicating detection through automated sandboxing.

The malware deployed in this campaign exhibits a modular architecture, allowing operators to tailor functionality based on the victim’s environment and objectives. IBM X-Force observed the use of multiple payloads with overlapping surveillance, data theft and persistence capabilities.

• Blue Banana RAT
  Delivered via an obfuscated JAR file (windowsdefi.jar), Blue Banana enables remote shell access, file execution, credential harvesting (e.g., FileZilla) and even DDoS participation. It was protected using Branchlock, Zelix KlassMaster, and Allatori obfuscators to complicate analysis.
• SambaSpy RAT
  Communicating via No-IP DDNS domains (e.g., wwce.zapto[.]org), SambaSpy supports webcam access, keylogging, clipboard monitoring and file manipulation. It uses AES-encrypted channels for secure data exfiltration and supports plugin-based extensibility.
• SessionBot implant
  This lightweight implant (tg.jar) performs system reconnaissance, gathering details such as RDP history, user and network sessions and public IP geolocation. It leverages the Telegram Bot API for exfiltration and command-and-control, often downloading additional modules like 1.jar, 2.jar, or recovery.jar.

Additionally, the campaign employed an Outlook-focused email stealer (email.js) executed via wscript.exe. It scanned for Outlook profiles, extracted inbox contents and staged the data for exfiltration via Telegram-based HTTP POST requests.

To conceal its activity, the malware dropped benign-looking decoy files (e.g., Tranzacție+în+USD-pdf.txt, Swift Confirmation Copy.pdf) that opened upon execution, reinforcing the illusion of legitimacy while malicious processes were executed in the background.

In addition to the Amazon S3 infrastructure previously described, the campaign leveraged Telegram's Bot API for post-compromise command-and-control (C2). This approach enabled threat actors to interact with infected hosts, exfiltrate sensitive data and dynamically issue instructions, all over encrypted messaging infrastructure commonly allowed in enterprise environments.

C2 communications were routed through:

• api.telegram[.]org/bot7369538001...
• api.telegram[.]org/bot7819421465...

These channels were used for system reconnaissance, extracting Outlook inbox data, and capturing files by malware modules such as SessionBot and the email.js Outlook stealer. The use of Telegram provided anonymity, encryption and operational ease, while also complicating detection through conventional network monitoring.

This dual-channel infrastructure model — combining cloud-based payload hosting with encrypted messaging — reflects a growing trend among financially motivated threat actors to blend malicious traffic into trusted services, prolonging dwell time and increasing the likelihood of success.

X-Force observed evidence of a change from using SWIFT-themed lures to a financial crimes investigation-themed lure beginning at the end of April.

The SVG file using this theme saved a JAR file, Case No.86-2025.jar, to disk. This JAR is the same Java-based downloader used in the SWIFT-themed campaign. Another change included a Java-based RAT, 'STRRAT', which was observed being downloaded along with the SambaSpy and Blue Banana RATs. STRRAT is known for its information-stealing capabilities and flexibility in delivering multiple malicious functions. Despite being relatively lightweight, STRRAT is capable of mimicking ransomware behavior and enabling full remote control over infected systems.

This campaign reflects a broader evolution in phishing tradecraft—moving beyond credential harvesting toward modular malware delivery, long-term access and data exfiltration. By abusing SVG files, a format often overlooked by security filters, threat actors demonstrate a willingness to exploit gaps in conventional detection logic.

The use of SWIFT-themed lures highlights a deliberate focus on financial institutions, leveraging familiarity and trust to enhance click-through rates. Combined with cloud-based infrastructure and encrypted messaging channels like Telegram, the attackers effectively blend malicious activity into normal traffic, reducing the likelihood of early detection.

For defenders, this underscores the need to reassess assumptions about “safe” file types and benign infrastructure. Phishing is no longer just an email problem—it’s an entry point to sophisticated, multi-stage intrusion attacks. Organizations must stay vigilant, extending visibility to nontraditional vectors and continuously adapting detection logic to match the pace of attacker innovation.

Organizations can reduce their exposure to campaigns like this by combining endpoint visibility, secure configuration, and user education.

• Keep antivirus and EDR tools up to date: Ensure detection engines are current to identify known payloads and behaviors associated with Java-based malware.
• Enforce multi-factor authentication (MFA): Apply MFA across all user accounts, especially those used for email, remote access and financial systems.
• Apply software patches promptly: Maintain regular patch cycles for operating systems, Java runtimes, browsers and email clients to reduce exploit opportunities.
• Disable macros by default: Prevent the execution of macros from email attachments unless explicitly approved and signed.
• Enforce least privilege: Limit user account permissions to only what is necessary to reduce the blast radius of a successful compromise.
• Monitor for cloud abuse: Inspect outbound network traffic for suspicious connections to cloud storage platforms like Amazon S3, particularly to unknown or misconfigured buckets.
• Train employees on phishing tactics: Educate staff—especially those in finance and admin roles—on how to recognize suspicious lures, file types and delivery methods.

IBM X-Force Premier Threat Intelligence is now integrated with OpenCTI by Filigran, delivering actionable threat intelligence about this threat activity and more. Access insights on threat actors, malware and industry risks. Install the X-Force OpenCTI Connector to enhance detection and response, strengthening your cybersecurity with IBM X-Force’s expertise. Get a 30-Day X-Force Premier Threat Intelligence trial today!