How do hackers embed malicious code into SVG files and Office documents technically?

Recent Cyber Threat: Hackers Weaponizing SVG Files and Office Documents Against Windows Users

A sophisticated phishing and malware campaign, reported on December 19, 2025, targets Windows users—primarily in manufacturing and government sectors across Italy, Finland, and Saudi Arabia. Threat actors use multiple infection vectors, including weaponized Microsoft Office documents and malicious SVG (Scalable Vector Graphics) files, to deliver commodity loaders that deploy Remote Access Trojans (RATs) and information stealers.

KeyAttack Methods

• Weaponized Office Documents: Attackers distribute Microsoft Office files (e.g., Word or RTF) exploiting CVE-2017-11882, a longstanding memory corruption vulnerability in the Equation Editor component (patched in 2017 but still effective on unpatched systems). Opening these files triggers remote code execution without user interaction beyond enabling content.
• Malicious SVG Files: SVG files, often attached or linked in phishing emails, embed JavaScript that executes when opened in a browser (default behavior on Windows). This can redirect users to phishing sites, drop payloads, or initiate downloads.
• Other Vectors: ZIP/RAR archives with LNK shortcuts or JavaScript files, often disguised as purchase orders or business communications.

The campaign uses a four-stage execution chain:

1. Initial phishing email with attachment.
2. Payload execution (e.g., via exploit or script).
3. Loader deployment using techniques like process hollowing (injecting into legitimate Windows processes).
4. Final malware (RATs or stealers) for data exfiltration or persistence.

This converges on shared "commodity loader" infrastructure, indicating possible malware-as-a-service operations.

BroaderContext: Rising Abuse of SVG Files

SVG abuse has surged throughout 2025:

• Early 2025: Campaigns targeting Gmail, Outlook, and Dropbox users with SVGs embedding links to fake login pages.
• Mid-2025: Global phishing against financial institutions using SVGs to drop ZIP archives leading to RATs like SambaSpy or STRRAT.
• Ongoing: AI-assisted obfuscation in SVGs to evade detection, often mimicking Office 365 or SharePoint.

Microsoft responded by blocking inline SVG images in Outlook (web and Windows versions) starting September 2025, due to their frequent use in phishing.

How to Protect Yourself

• Patch Systems: Ensure Microsoft Office is fully updated—CVE-2017-11882 has been patched for years.
• Email Caution: Avoid opening unexpected attachments, especially Office docs, SVGs, or archives. Hover over links and verify senders.
• Security Tools: Use endpoint protection that scans SVG/XML content and blocks exploits. Enable Microsoft Defender features.
• Change Defaults: On Windows, associate.SVG files with a text editor (e.g., Notepad) instead of the browser to prevent automatic script execution.
• Awareness: Train on recognizing business-themed lures (e.g., fake invoices or POs).

This campaign highlights how attackers repurpose legitimate file formats to bypass defenses. Staying vigilant and updated is key to mitigation. For more details, refer to reports from Cyble and Cybersecurity News.