SVG phishing campaign targets Ukraine

Fortinet’s FortiGuard Labs has published a detailed analysis of a phishing campaign targeting Ukrainian organizations. The attackers used an unusual SVG file as the initial infection vector, which ultimately led to the deployment of Amatera Stealer (information-stealing malware) and PureMiner (a stealth crypto-miner).

The SVG file triggered a password-protected archive containing a CHM file that launched a loader called “CountLoader,” enabling fileless execution, process hollowing, and DLL side-loading.

This combination of stealer + miner, delivered through an SVG-based chain, shows a growing sophistication in phishing campaigns, especially those aimed at critical sectors.

Full report: https://www.fortinet.com/jp/blog/threat-research/svg-phishing-hits-ukraine-with-amatera-stealer-pureminer

7 points | by Stasshe 15 hours ago

2 comments

  • SurceBeats 5 hours ago
    The sophistication here (SVG > CHM > fileless execution > dual payload) suggests access to commercial malware toolkits rather than bespoke APT development.
  • GamingAtWork 15 hours ago
    it seems like the SVG file/image contained an embedded link? And they clicked the link and got pulled into one of those scam websites asking you to install shit software viruses. It was not that the svg file just went crazy and hacked their entire machine...
    [-]
    • Stasshe 7 hours ago
      Not exactly — it’s a bit more than just a link scam. The SVG actually started a multi-stage infection chain, downloading a password-protected archive with a malicious CHM/HTA that deployed Amatera Stealer and PureMiner. So it’s a real system compromise, not just a fake site trick.