Hackers Abuses SVG Image Files to Deliver GUloader Malware

Hackers are exploiting the versatility of SVG (Scalable Vector Graphics) files to distribute the GUloader malware.

Understanding hostile actors’ techniques and tools is essential to staying ahead in the ever-changing cybersecurity field.

Its stealthy methods and ability to elude detection make this sophisticated malware loader a significant threat to companies and individuals.

Guloader uses evasion techniques, making it difficult for typical security measures to identify and mitigate. This highly elusive loader poses a significant threat to both organizations and individuals.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Rise of GUloader

GUloader is known for its stealth and ability to evade traditional security measures through polymorphic code and encryption.

This allows it to dynamically change its structure, making it difficult for antivirus software and intrusion detection systems to detect its presence.

According to the observations made by SpiderLabs, there has been a notable increase in the frequency of GuLoader utilization.

McAfee Labs has recently observed a campaign where GUloader is distributed via malicious SVG files sent through email.

Spam Email

SVG files are commonly used for two-dimensional vector graphics and support interactivity and animation through JavaScript and CSS.

Modern browsers like Chrome, Firefox, and Edge can render SVG files natively, treating them as standard web content. Cybercriminals are exploiting this inherent trust in SVG files to deliver malware.

The infection begins when a user opens an SVG file attached to an email. This triggers the browser to download a ZIP file containing a Windows Script File (WSF).

The WSF then executes, using wscript to call a PowerShell command that connects to a malicious domain and executes hosted content, including shellcode injected into the MSBuild application.

Infection Chain

Technical Analysis of the Attack

The attack starts with a spam email containing an SVG file named “dhgle-Skljdf.svg”. The SVG file contains JavaScript that creates a malicious ZIP archive when the file is opened.

The ZIP file once dropped into the system, reveals an obfuscated WSF script that is difficult to analyze.

This script invokes PowerShell to connect to a malicious domain and execute the retrieved content, including base64-encoded shellcode and a PowerShell script.

Process Tree

The PowerShell script attempts to load the shellcode into the legitimate MSBuild process using the Process Hollowing technique.

After injection, the shellcode performs an anti-analysis check and modifies the Registry run key to achieve persistence.

The final stage involves downloading and executing the final malicious executable, GUloader, or malware variants.

Encoded PowerShell

Using SVG files to deliver malware like GUloader is a concerning development in the cybersecurity landscape.

Organizations and individuals must treat unexpected email attachments cautiously, especially those containing SVG files. Security professionals are encouraged to update their detection systems to counter this evolving threat.



You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Volkswagen Hacked – Hackers Stolen 19,000 Documents From VW Server

Volkswagen, one of the world's leading automotive manufacturers, has fallen victim to a sophisticated hacking…

4 hours ago

Beware Of Fake MetaMask Android Apps That Steal Login Details

Threat actors exploit fake Android apps primarily for illicit reasons, such as stealing sensitive and…

6 hours ago

CrushFTP Zero-Day Could Allow Attackers To Gain Complete Server Access

CrushFTP disclosed a zero-day vulnerability (CVE-2024-4040) affecting versions below 10.7.1 and 11.1.0. The vulnerability allows…

6 hours ago

IBM QRadar XSS Flaw Let Attackers Arbitrary JavaScript Code

A significant vulnerability was detected in IBM QRadar Suite Software and Cloud Pak for Security,…

6 hours ago

Seedworm Hackers Exploit RMM Tools to Deliver Malware

The notorious hacking group Seedworm, also known as MuddyWater, has been found exploiting legitimate remote…

6 hours ago

WordPress Plugin Flaw Exposes 10k+ Websites to Cyber Attacks

A critical vulnerability in the WP Datepicker WordPress plugin was identified, affecting over 10,000 active…

7 hours ago