As more and more websites implement age verification, many users are migrating to smaller, less regulated sites — inadvertently increasing their risk of encountering malware. Cybercriminals are taking advantage of this trend by hiding malicious code in SVG image files that can perform harmful actions on users' computers.

As more countries require age verification for adult websites, some smaller sites are beginning to exploit hidden malware to boost their visibility on social media platforms like Facebook. Researchers at Malwarebytes recently discovered that these malware often use a type of image file called scalable vector graphics (SVG), which can carry harmful code.

SVG files are different from standard image formats such as JPG and PNG. They use XML, a form of code that can not only render images but also include HTML and JavaScript—languages ​​also used to create dynamic websites. This feature allows attackers to hide malware within SVG images. Since many users think of SVGs as just harmless images, they don't think that these files can contain security threats.

Here’s how the scam works: Adult-themed blog posts are shared on Facebook, often promoting fake or AI-generated celebrity content. When users click on these links, they may be prompted to download an SVG image. Opening or interacting with this image triggers hidden JavaScript code embedded in the SVG file. Researchers found that the malicious code is obfuscated using a special technique that requires just a few characters and clever coding tricks to mask its true intent, thereby evading detection.

Once triggered, the hidden script downloads additional malicious code from the relevant website. This leads to the installation of malware called Trojan.JS.Likejack, which secretly forces a user's browser to "like" a specific Facebook post or page. These automated likes help promote adult content without the user's knowledge, but only if the victim is logged into Facebook.

SVG files are based on XML and can contain HTML and JavaScript, which can be exploited by criminals for malicious purposes.

Malwarebytes discovered that many of the pages involved in this campaign were built on WordPress and were related to each other. By generating hundreds of fake "likes," these posts gain higher visibility in Facebook's algorithm, helping scammers promote their sites without having to pay for advertising.

Although Facebook actively tries to shut down these fake accounts, scammers continue to create new ones. The anonymity of the Internet makes it difficult to completely stop this cycle.

Once Malwarebytes learned about the scheme, they discovered that many Blogspot[.]com pages were part of it.

Using SVG files to spread malware is not new. Attackers have previously used them for phishing, scripting and other hacking attacks. This latest attack is notable because it cleverly hides harmful code and manipulates social media platforms to drive traffic and visibility.