SVG Files Abused in Emerging Campaigns

This report documents evolving abuse of SVG/HTML smuggling—facilitated by the AutoSmuggle tool—to bypass email gateways and deliver embedded payloads (ZIPs containing scripts and executables). It details two recent campaigns (Dec 2023 delivering XWorm RAT and Jan–Feb 2024 delivering Agent Tesla keylogger), describes multiple infection chains and email lure patterns, and highlights how threat actors modified AutoSmuggle-generated SVGs to evade detection and social-engineer victims.