The Reveal Platform
Intel Name: Svg phishing hits ukraine with amatera stealer, pureminer
Date of Scan: September 29, 2025
Impact: High
Summary: A recent phishing campaign targeting Ukraine uses malicious SVG files disguised as official government communication. When opened, the SVG file downloads a password-protected archive containing a CHM file, which triggers a chain of malware execution via HTA CountLoader. The attackers deploy Amatera Stealer and PureMiner as fileless malware, using techniques like .NET AOT compilation, process hollowing, and in-memory execution via PythonMemoryModule to avoid detection. These tools are used to steal data and mine cryptocurrency on infected systems.
