WatchGuard telemetry identified some malicious files being downloaded by victims, and almost all of them originated in Venezuela, indicating a possible malicious campaign targeting companies in this country. 

The malicious files are distributed via phishing emails that have a SVG file with a filename in Spanish, generally indicating invoices, receipts, or budgets. 

SVG stands for Scalable Vector Graphics, a file format for two-dimensional vector images. It allows images to be scaled without loss of quality, making it ideal for web graphics like logos and illustrations.  

If an SVG file is opened in a text editor, it has XML code. It has already been observed that some phishing emails were distributed with SVG  containing malicious code. 

Figure 1. Example of a malicious SVG file 

When these malicious SVGs are opened, they communicate with a URL that downloads the malicious artifact. 

 

Figure 2. Network communication when a malicious SVG file is opened 

A recent campaign distributing malicious SVG files in Spanish was observed last year; the target was victims in Colombia, and the files had fake portals impersonating Colombia's judicial system. 

Initial Vector

As mentioned earlier, the campaign starts with phishing, delivering malicious SVG files that are used to download the malware. 

Figure 3. Events showing that the phishing email was opened by the victim

This campaign uses ja.cat to shorten URLs from legitimate domains that have a vulnerability that allows redirects to any URL, so they point to the original domain where the malware is downloaded. The domains affected by the URL redirection are from Brazil.

Figure 4. Network connections are established when the SVGs used in the campaign are opened 

The URLs used in the malicious campaign are in the format https://<domain>/public.php?token=<16_digit_token>

Artifact Analysis

The artifact is a Windows Executable written in Go 

Figure 5. Information about the analyzed artifact 

At the start of execution, the malware executes a routine that retrieves the address of various export functions. Among these functions are LoadLibraryExA and LoadLibraryExW, which are used to load some important DLLs. These DLLs are dynamically loaded to avoid detection. 

Figure 6. Routine of instruction made by malware at the start 

Some of the export functions loaded by the malware are SetErrorMode, to prevent the display of the Windows Error Reporting dialog, and RtlAddVectoredExceptionHandler, to register a VEH, which can be used by malware to control how exceptions are handled and ensure that the payload remains active in case of errors. 

It also loads functions associated with threads, such as CreateWaitableTimerExW, which creates a waitable timer object, allowing synchronization between processes that can be used by functions executed in parallel, like threads. 

We can see timeBeginPeriod used to request a minimum timer resolution for periodic timers, allowing applications to achieve higher accuracy in timing operations. It’s used to restore the previous timer resolution and avoid potential negative impacts on system performance and power usage.   

Figure 7. Windows APIs called during execution 

One important DLL loaded during runtime is ws2_32.dll, which is responsible for network communication. It starts using WSAGetOverlappedResult to retrieve the results of an overlapped operation on the specified socket. 

Another DLL is powrprof.dll, which uses the PowerREgisterSuspendResumeNotification function. It is used to register itself to receive notification when the system is suspended or resumed. This can be used by malware to monitor if the system is suspended and execute certain actions, because in this state, security solutions may be less active in monitoring. 

Figure 8. Call to PowerRegisterSuspendResumeNotification

The malware gets system environment variables, including GODEBUG and DEBUG_HTTP2_GOROUTINES, which are specific to the Go language. 

 Figure 9. Calls to get system environments 

SystemFunction036, which is an alias for the RtlGenRandom function that generates pseudo-random numbers in Windows operating systems, is also used. It is accessed through the Advapi32.dll library and requires dynamic linking using LoadLibrary and GetProcAddress functions. 

 Figure 10. Call to SystemFunction036 and start of a thread 

These actions are the same observed in a SecurityScorecard report, which links these actions to BianLian ransomware. 

BianLian ransomware is a developer, deployer, and data extortion cybercriminal group that has been active since 2022. It was observed attacking critical structure in US and Australia, but the group targets multiple industries and has tactics and techniques that have been evolving. 

One of the most interesting things that we saw in the analyzed artifacts is the utilization of the function wine_get_version, which is used to detect if the system is running in Wine. 

Figure 11. Call to wine_get_version 

There is a routine that makes byte operations using a value loaded from a location in the Thread Local Storage (TLS) at the start of the execution, and the result is the address of the function that will be called in a thread. 

Figure 12. Routine instructions that call different functions in a thread 

In the code, we can also observe anti-debugging techniques to make the analysis more difficult. 

Figure 13. Anti-debugger technique in the malware code 

Another BianLian characteristic observed in the analyzed artifacts is the use of AES functions implemented in Assembly to accelerate encryption. 

Figure 14. Use of AES functions in the malware code 

Indicators of Compromise 

Domains: 

contabilidad[.]icu 

documentodigital[.]cloud 

getpdfdigital[.]cloud 

soportedigital[.]cloud 

What This Campaign Reveals About Evolving Ransomware Delivery 

This campaign is a strong reminder that even seemingly harmless file types like SVGs can be used to deliver serious threats. In this case, malicious SVG attachments were used to initiate a phishing chain that led to malware delivery associated with BianLian activity.  

Organizations should treat unexpected image attachments with caution, strengthen email and endpoint defenses, and monitor for suspicious outbound connections. As attackers continue to evolve their delivery methods, understanding how ransomware reaches victims is critical to stopping it earlier in the attack chain. 

In Episode 362 on The 443 Podcast, Marc and Corey unpack three stories that point to a hard truth for defenders: cyber threats are becoming more disruptive, more deceptive, and more scalable.  

From a major attack affecting medical technology giant Stryker, to a once-legitimate Chrome extension turned malicious, to Microsoft’s latest findings on how threat actors are using AI across the attack lifecycle, the message is clear. Attackers are moving faster, operating smarter, and finding new ways to exploit trust at scale. 

How Cyber Conflict Can Spill Into the Private Sector 

Stryker’s network disruption is one of the clearest recent reminders that cyber incidents tied to geopolitical tensions can create serious consequences for private sector organizations. When a company with global operations and ties to critical healthcare infrastructure experiences widespread disruption, the impact reaches far beyond a routine IT outage. Even if an attack does not directly target patients or frontline care, the downstream consequences can still be severe. 

That is what makes this story so significant. It reflects a broader reality that security teams have been warning about for years: cyber conflict is no longer confined to governments, defense agencies, or explicitly political targets. Private organizations that sit close to essential services, healthcare ecosystems, supply chains, or national infrastructure are increasingly exposed to the fallout. 

For defenders, the lesson is straightforward. Resilience planning can no longer focus only on ransomware or data theft. Organizations also need to prepare for destructive attacks, large-scale operational disruption, and incidents where business continuity becomes the primary security challenge. 

A Malicious Chrome Extension Is a Warning About Browser-Based Risk 

Another development underscores how easily trusted software can become attack infrastructure. 

Researchers uncovered suspicious behavior tied to a Chrome extension called Shotbird, which had originally been legitimate. After a transfer of ownership around mid-February, the extension was quickly weaponized. It reportedly registered infected browsers with command-and-control infrastructure, regularly checked in for scripts to execute, stripped browser protections such as content security policy headers and X-Frame-Options, and injected fake update notifications designed to trick users into running malware themselves.  

That matters because it highlights a serious weakness in how many people think about browser extensions. Users often assume that software distributed through an official marketplace is inherently trustworthy, especially if it was legitimate at one point. But trust in these ecosystems can change quickly. A transfer of ownership, a malicious update, or weak validation at the marketplace level can turn an ordinary tool into an attack vector almost overnight.  

The social engineering angle makes the risk even sharper. In this case, the extension did not rely only on quietly dropping malware. It used fake Chrome update prompts and click-fix style instructions to manipulate users into executing malicious commands manually. That tactic helps attackers bypass some of the protections browsers place on traditional executable downloads.  

The broader takeaway is that browser extensions should not be treated as harmless productivity tools. They can carry powerful permissions, interact deeply with web content, and become a quiet but highly effective foothold for attackers. Security teams need clearer policies around extension use, stronger browser visibility, and tighter controls over what users are allowed to install. 

Threat Actors Are Already Operationalizing AI Across the Attack Lifecycle 

The third development may have the broadest long-term implications. 

According to Microsoft’s latest threat intelligence findings, threat actors are already using AI in practical ways throughout the attack lifecycle. The observed activity includes reconnaissance, phishing and social engineering, malware development, operational persistence, post-compromise analysis, and identifying the most effective paths for lateral movement and data theft. In some cases, attackers are also using AI-enabled malware that invokes AI models during execution, not just during development.  

This is important because it moves the conversation past theory. The industry has been talking for some time about how AI could accelerate attacker workflows, lower the barrier to entry, and increase the scale of cybercrime. What these findings show is that this shift is already happening. Attackers are not waiting for fully autonomous systems to mature. They are using AI right now to work faster, appear more credible, and make their operations more efficient.  

The examples also reveal how fragile some current AI safeguards still are. Simple jailbreak prompts that frame the user as a trusted security analyst or student were reportedly enough to elicit guidance that should have been blocked. That points to a hard truth defenders and AI vendors need to confront: prompt-based safety controls alone are not going to be enough. Natural language is too flexible, and attackers are too motivated to rely on basic guardrails as a long-term solution.  

The security concern here is not just smarter phishing emails or cleaner malware scripts. It is the compounding effect of AI across the full attack chain. When reconnaissance is faster, payload development is easier, communications look more human, and post-compromise decisions become more efficient, the overall speed and volume of attacks can rise dramatically. 

The Bigger Shift Behind All Three Stories 

What ties these developments together is not just attacker creativity. It is attacker efficiency. 

Cybercriminals and state-linked groups are finding more ways to weaponize trust, whether that trust exists in healthcare-adjacent operations, browser marketplaces, or AI systems themselves. At the same time, modern attacks are becoming easier to scale. AI assistance reduces friction. Social engineering remains effective. Trusted platforms continue to offer new openings. And every one of those changes gives defenders less time to detect and respond. 

That is why these stories matter beyond their individual headlines. They point to a threat environment where the challenge is no longer just blocking one malware family or one phishing lure. The real challenge is defending against attack chains that are faster, more adaptive, and more capable of turning ordinary business dependencies into security liabilities. 

What This Means for Defenders 

Security teams should treat these developments as a signal to tighten core controls now, not later. 

That starts with reducing blind trust in common platforms and workflows. Browser extensions should be governed more strictly. Administrative and user access should be reviewed with a stronger focus on abuse prevention. Detection and response programs should be built to correlate activity across identity, browser, endpoint, and network layers rather than viewing each alert in isolation. 

It also means preparing for a future where AI is embedded on both sides of the fight. Attackers are already using it to improve speed and effectiveness. Defenders need to match that with stronger visibility, smarter automation, and faster operational follow-through. 

The organizations that adapt best will not be the ones with the most tools. They will be the ones that reduce exposure early, validate trust continuously, and respond fast when normal-looking activity starts behaving abnormally.