SVG files are used by attackers to import QBot malware onto Windows system systems

QBot’s malware phishing campaigns use SVG files for HTML smuggling. This locally creates an infected Windows installer.

The embedded SVG files contain JavaScript and are used to reassemble the Base64-encoded QBot malware installation that’s automatically downloaded from the victim’s browser.

QBot is Windows malware that arrives via phishing emails. It loads additional payloads such as and .

SVG-based Smuggling

refers to a method used to “smuggle JavaScript payloads” inside HTML attachments or websites.

The HTML document will open and decode JavaScript. It then executes it. This allows the JavaScript to perform local malicious behaviors, such as creating executable malware.

This allows the attackers to get around security and firewalls by locating malicious files within the perimeter.

Researchers from discovered a new QBot Phishing campaign. It starts with a stolen reply chain email, prompting users to open the attached HTML file.

The attachment includes an HTML smuggling method that embeds a SVG (scalable vector graphic) embedded image in the HTML. This is to conceal the malicious code.

Base64-encoded SVG file inside the HTML


SVGs, unlike other raster images types like JPG or PNG, are XML-based vector files that can contain HTML script> tags. This is a valid feature in that file format.

An HTML document can load an SVG file via an embed>/iframe> tag. The image will then be displayed and JavaScript will execute.

Cisco analysts decoded JavaScript code from the SVG blob. They found a function which converts a JS variable text’ into a binary blob. Then, they discovered a function to convert the blob into a ZIP file, as illustrated below.

Deobfuscated JavaScript code


Cisco explains that the JavaScript found in the SVG images contains all the malicious zip archives. The malware is assembled on the user’s end by JavaScript.

This HTML smuggling method can be bypassed by security systems that filter out malicious content.

To avoid scrutiny by AVs, the downloaded archive is password protected. However, the HTML that the victim opens includes the password to the ZIP file.

ZIP download dialog and fake Adobe HTML showing the password


An ISO file can be extracted from the victim’s computer if it is opened. This will lead to an “ISO-LNK-CMD-DLL” infection, or a variant thereof.

The assumption is that hiding malicious code in an HTML attachment with the SVG file helps to obfuscate and increase the chance of detection

Infection chain


Block JavaScript and VBScript execution of downloaded content to protect your systems against HTML smuggling.

QBot exploited recently a Windows vulnerability which enabled it to attach security alerts. Microsoft corrected this issue yesterday using Microsoft’s .