Key Findings

• WatchGuard researchers identified a phishing campaign targeting Venezuelan companies using malicious SVG image files

• BianLian ransomware group deploying malware via fake invoice attachments with Spanish filenames

• Attack chain uses ja.cat link shortening service to redirect through compromised Brazilian domains

• Malware written in Go language includes anti-analysis capabilities and high-speed AES encryption

• Campaign infrastructure includes four suspicious domains currently active

Background

The BianLian ransomware group has operated since 2022, targeting critical infrastructure across multiple regions including the US and Australia. This latest campaign represents a geographic shift toward Venezuela, with concentrated attack activity reported by security researchers. The group is known for evolving tactics and has previously attempted social engineering through unconventional methods, demonstrating operational flexibility across both digital and physical attack vectors.

Attack Method: Deceptive SVG Files

The initial vector appears mundane to most users. Phishing emails contain attachments with Spanish filenames that appear to be routine business documents like invoices or budget spreadsheets. However, these SVG files are not simple images. Embedded within the scalable vector graphics format is hidden XML code that executes when opened by a victim. Upon execution, the file secretly connects to an external URL to download the actual malicious payload onto the system.

Obfuscation and Redirection Techniques

The attackers employ a deliberate redirection strategy designed to obscure their infrastructure and complicate attribution efforts. The campaign leverages ja.cat, a URL shortening service, to mask the true destination of malicious links. Traffic flows through compromised Brazilian domains before reaching final delivery points. Each malicious link typically incorporates a 16-digit token system, likely for tracking victims and ensuring only intended targets receive the payload.

Malware Capabilities and Evasion

The downloaded payload is a Windows executable written in the Go programming language, engineered with multiple evasion and anti-analysis features. The malware checks for Wine, a tool commonly used to run Windows applications in security testing environments, helping it detect sandbox execution. It monitors system suspension states to time payload execution when defenses are less active. The malware also scans for specific internal environment variables like GODEBUG that would indicate security researcher analysis. Once established, it deploys high-speed AES encryption to rapidly lock files, outpacing traditional backup and recovery procedures.

Known Infrastructure

Security researchers have identified four domains directly linked to this campaign infrastructure. These should be treated as immediate indicators of compromise and blocked at network perimeters:

• contabilidad.icu

• getpdfdigital.cloud

• soportedigital.cloud

• documentodigital.cloud

Regional Context and Trend Analysis

Venezuela represents a new geographic focus for BianLian, though similar campaigns have recently targeted neighboring Colombia using fake judicial portal interfaces. This pattern suggests the group is systematically expanding operations across Latin America while adapting social engineering tactics to regional contexts. The use of Spanish-language filenames and locale-specific document types indicates reconnaissance and localization of attack materials.

Security Recommendations

Organizations should implement robust file-type filtering that specifically targets SVG files from untrusted sources, as these remain underutilized attack vectors compared to traditional executable formats. Email security should flag unexpected image attachments, particularly those with Spanish language filenames. Network perimeter defenses should block the identified domains immediately. Additionally, endpoint detection systems should monitor for Go-language executables and suspicious outbound connections, particularly to Brazilian IP space.

Sources

• https://hackread.com/bianlian-ransomware-fake-invoice-svg-images-attacks/

• https://www.socdefenders.ai/item/8c2c8ff5-13b5-4c4f-ba47-ba3f9c0b1ee4

• https://x.com/HackRead/status/2037558831933169928