Cyberdudebivash

Fileless Malware Evasion: Analyzing How PureMiner Uses SVG Vector Graphics for Initial Access and Data Theft.

, , , ,
CYBERDUDEBIVASH

Fileless Malware Evasion: Analyzing How PureMiner Uses SVG Vector Graphics for Initial Access and Data Theft

By CyberDudeBivash • September 29, 2025, 4:05 PM IST • Threat Intelligence Report

In the relentless cat-and-mouse game of cybersecurity, attackers are constantly innovating to bypass our defenses. We are now tracking a new, highly evasive campaign that combines two powerful techniques: **fileless malware** and a novel initial access vector using **Scalable Vector Graphics (SVG) images**. The malware, which we have dubbed **PureMiner**, is a sophisticated information stealer that executes entirely in memory, leaving almost no trace on the victim’s hard drive. Its name appears to be a deliberate misdirection; its primary goal is not cryptomining, but the exfiltration of credentials and session tokens. This report provides a deep-dive technical analysis of this new threat, detailing the kill chain from a simple image file to a full-scale data breach, and outlines the behavioral detection strategy required to counter it.

Disclosure: This is a technical threat report for security practitioners. It contains our full suite of affiliate links to best-in-class solutions for a holistic security posture. Your support helps fund our independent research.

 Executive Summary / TL;DR

For the busy CISO: A new fileless malware campaign, “PureMiner,” is using malicious SVG image files to gain initial access. The SVG contains hidden JavaScript that executes in the user’s browser, which then launches an in-memory PowerShell payload. The malware’s goal is to steal browser credentials and session tokens. Because there is no traditional `.exe` file, legacy antivirus is ineffective. Defense requires a layered approach: **1) A modern Web Application Firewall (WAF)** to scan SVG files for malicious content. **2) An Endpoint Detection and Response (EDR) solution** to detect the anomalous behavior of a browser spawning PowerShell. **3) A Zero Trust architecture** to prevent the compromised machine from accessing critical resources.

 Threat Report: Table of Contents 

  1. Chapter 1: Threat Analysis – The Unholy Alliance of Fileless Malware and SVGs
  2. Chapter 2: The Kill Chain – From an Image to a Breach
  3. Chapter 3: The Defender’s Playbook – Hunting the Ghost in the Machine
  4. Chapter 4: The Strategic Response – Building a Resilient, Multi-Layered Defense
  5. Chapter 5: Extended FAQ on Fileless and SVG-based Threats

Chapter 1: Threat Analysis – The Unholy Alliance of Fileless Malware and SVGs

To understand this threat, we must first understand its two core components.

Fileless Malware: The Invisible Threat

For decades, antivirus software was built on a simple premise: scan files on the hard drive and compare their signatures (hashes) against a database of known malware. Fileless malware is designed to make this model obsolete.

It achieves this by **avoiding writing malicious executable files to the disk**. Instead, it operates entirely in the computer’s volatile memory (RAM). It does this by hijacking legitimate, trusted system tools—a technique known as “Living Off the Land.” The most common tools abused are:

  • **PowerShell:** A powerful scripting engine built into Windows.
  • **WMI (Windows Management Instrumentation):** A legitimate interface for managing devices and applications on a Windows network.
  • **In-Browser JavaScript:** As we will see, the browser itself can be used as the execution engine.

Because there is no “bad file” to scan, traditional AV is often blind to this entire class of threat.

SVGs: The Trojan Horse Image Format

A Scalable Vector Graphic (SVG) is not like a standard image format such as a JPG or PNG, which are just grids of pixels. An SVG is a text-based, XML document that describes shapes, lines, and colors. Because it is a code-based format, the SVG standard allows for the inclusion of interactive content, including **JavaScript**.

While this is intended for legitimate uses like interactive charts and animations, attackers have realized they can embed their malicious scripts directly inside a `.svg` file. When a modern web browser opens or renders this SVG, it will execute the embedded JavaScript. The user sees an image, but the browser runs the attacker’s code.

Chapter 2: The Kill Chain – From an Image to a Breach

The PureMiner attack chain is a masterclass in modern evasion techniques.

  1. Phase 1: Initial Access. The attack begins with a standard phishing lure. The victim receives an email with an HTML attachment or a link to a malicious website. This page is designed to look legitimate (e.g., a fake invoice portal, a document sharing site).
  2. Phase 2: The SVG Lure. On the malicious page is a seemingly harmless SVG image. This could be a company logo, a chart, or a “Click to View” button.
  3. Phase 3: The JavaScript Execution. When the user’s browser renders this SVG, the malicious JavaScript hidden inside it is executed within the context of the browser’s sandbox.
  4. Phase 4: The Fileless Payload Delivery. The JavaScript uses a clever technique to launch the main payload. It constructs a long, heavily obfuscated PowerShell command and uses a browser API or a scripting object (like `Shell.Application` in older IE-modes) to pass this command directly to the PowerShell process for execution. The key is that the PowerShell script is never written to disk; it is passed from the browser to the PowerShell process entirely in memory.
  5. Phase 5: The PureMiner Payload. The PowerShell script, now running in memory, is the PureMiner infostealer. It begins its primary mission:
    • It scrapes the local browser databases for saved usernames, passwords, and session cookies.
    • It searches for cryptocurrency wallet files.
    • It establishes a covert command-and-control (C2) channel to the attacker’s server.
  6. **Phase 6: Covert Exfiltration.** To exfiltrate the stolen data, PureMiner uses a form of steganography. It encodes the stolen data, embeds it into the pixel data of a benign-looking image (like a PNG), and then uploads this image to a public, high-reputation image hosting service. To a network security tool, this just looks like a user uploading a normal picture.

Chapter 3: The Defender’s Playbook – Hunting the Ghost in the Machine

You cannot fight a fileless threat with a file-based defense. You must hunt for its behavior.

1. The Critical Defense: Endpoint Detection and Response (EDR)

An EDR is your primary weapon. It provides the deep, process-level visibility needed to spot the TTPs of this attack. Your SOC team should be actively hunting for:

  • **The Smoking Gun: Anomalous Process Chains.** The most high-fidelity indicator of this attack is a browser process spawning a scripting engine. Your EDR should immediately flag any instance of `chrome.exe`, `firefox.exe`, or `msedge.exe` being the parent process of `powershell.exe` or `wscript.exe`. This is not normal behavior and is almost always malicious.

 CyberDudeBivash’s Recommended Hunting Stack:

To effectively hunt for a sophisticated, fileless threat like PureMiner, you need a powerful, behavior-focused EDR platform. A solution like **Kaspersky EDR** is designed to automatically detect these suspicious process chains and other ‘Living Off the Land’ TTPs, providing your SOC with the high-fidelity alerts they need to respond instantly.

[Need help building an advanced threat hunting program? Contact our experts.]

2. The Network Defense: WAF and Egress Filtering

  • **Inspect SVG Uploads/Downloads:** Configure your Web Application Firewall (WAF) or secure web gateway to inspect the content of SVG files. A modern WAF, like the one from **Alibaba Cloud**, can be configured to block SVGs that contain `

Leave a comment

Design a site like this with WordPress.com
Get started