SVG Phishing hits Ukraine with Amatera Stealer, PureMiner

Sept. 29, 2025, 9:24 a.m.

Description

A phishing campaign targeting Ukrainian government entities uses malicious SVG files to initiate an infection chain. The attack begins with emails containing SVG attachments that redirect victims to a download site. A CHM file is then used to execute a remote HTA loader, which delivers two malware payloads: Amatera Stealer and PureMiner. Amatera Stealer harvests extensive information from infected systems, including credentials, system data, application data, browser files, and cryptocurrency wallets. PureMiner collects hardware information and monitors system activity to deploy efficient CPU or GPU mining modules. The campaign demonstrates sophisticated techniques, including fileless malware delivery and the use of multiple stages to evade detection.

External References

https://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-with-amatera-stealer-pureminer
https://otx.alienvault.com/pulse/68d6f22df576f8efbd6366e1
Tags
phishing
data theft
ukraine
cryptomining
fileless
chm
svg
amatera stealer
pureminer
countloader
2025-09-26
hta loader

Date

  • Created: Sept. 26, 2025, 8:06 p.m.
  • Published: Sept. 26, 2025, 8:06 p.m.
  • Modified: Sept. 29, 2025, 9:24 a.m.

Attack Patterns

  • CountLoader
  • PureMiner
  • Amatera Stealer

Additional Informations

  • Government
  • Ukraine