SVG → CountLoader / PureRAT – From picture to problem.
Phishing emails impersonating Ukrainian authorities deliver SVG attachments that start a chain: SVG → ZIP → CHM → CountLoader → payloads like Amatera Stealer and PureMiner; related campaigns evolve to PureRAT backdoors. Fileless techniques (AOT, process hollowing) and credential theft feature heavily.
Those harmless-looking SVGs again, this time dropping CountLoader, which then fetches stealers and miners, and in some cases PureRAT for full remote control. The lures pose as official notices; the payloads live mostly in memory to dodge tools.
Defences: block risky attachments (SVG/CHM), detonate ZIPs in sandbox, and hunt for fileless indicators in EDR.