Svg Phishing Campaign Targets Ukraine

Posted2 months agoActive2 months ago

Stasshe

8 points

4 comments

Techstory

calmnegative

Debate

20/100

CybersecurityPhishingMalware

Key topics

Cybersecurity

Phishing

Malware

Fortinet’s FortiGuard Labs has published a detailed analysis of a phishing campaign targeting Ukrainian organizations. The attackers used an unusual SVG file as the initial infection vector, which ultimately led to the deployment of Amatera Stealer (information-stealing malware) and PureMiner (a stealth crypto-miner).

The SVG file triggered a password-protected archive containing a CHM file that launched a loader called “CountLoader,” enabling fileless execution, process hollowing, and DLL side-loading.

This combination of stealer + miner, delivered through an SVG-based chain, shows a growing sophistication in phishing campaigns, especially those aimed at critical sectors.

Full report: https://www.fortinet.com/jp/blog/threat-research/svg-phishing-hits-ukraine-with-amatera-stealer-pureminer

A phishing campaign targeting Ukrainian organizations uses an SVG file to deploy information-stealing malware and a crypto-miner, highlighting growing sophistication in phishing attacks.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

12m

Peak period

8-10h

Avg / period

1.3

Key moments

01Story posted
Oct 29, 2025 at 10:44 AM EDT
2 months ago
Step 01
02First comment
Oct 29, 2025 at 10:56 AM EDT
12m after posting
Step 02
03Peak activity
2 comments in 8-10h
Hottest window of the conversation
Step 03
04Latest activity
Oct 30, 2025 at 6:06 AM EDT
2 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (4 comments)

Showing 4 comments

GamingAtWork

2 months ago

1 reply

it seems like the SVG file/image contained an embedded link? And they clicked the link and got pulled into one of those scam websites asking you to install shit software viruses. It was not that the svg file just went crazy and hacked their entire machine...

StassheAuthor

2 months ago

Not exactly — it’s a bit more than just a link scam. The SVG actually started a multi-stage infection chain, downloading a password-protected archive with a malicious CHM/HTA that deployed Amatera Stealer and PureMiner. So it’s a real system compromise, not just a fake site trick.

SurceBeats

2 months ago

1 reply

The sophistication here (SVG > CHM > fileless execution > dual payload) suggests access to commercial malware toolkits rather than bespoke APT development.

StassheAuthor

2 months ago

And, it might be taking longer to discover because it's hard to notice with SVG.

View full discussion on Hacker News

ID: 45747517Type: storyLast synced: 11/17/2025, 8:08:27 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

View on HN