Fake Facebook posts hide Trojan.JS.Likejack in SVG images

Researchers at Malwarebytes have uncovered a campaign where cybercriminals embed malicious code in SVG (Scalable Vector Graphics) images. Unlike standard JPG or PNG pictures, SVG files are built using XML code, which can also carry HTML and JavaScript — the same languages used for interactive websites. This means an SVG can display a picture while secretly running harmful scripts in the background.

How the scam works:

• Adult-themed blog posts, often featuring fake or AI-generated celebrity content, are promoted on social media platforms like Facebook.

  Stay Ahead of the Curve!

  Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

  Subscribe Now

• Clicking these links may prompt you to download an SVG file.

• Opening or interacting with the file triggers hidden JavaScript, obfuscated to look harmless, that then downloads more malicious code.

The end goal is to install Trojan.JS.Likejack, a program that forces your browser to “Like” specific Facebook posts or pages if you’re already logged in. These fake likes artificially boost the scammers’ content in Facebook’s algorithm, helping them gain visibility without paying for ads.

Many of the pages in this network are built on WordPress or Blogspot, and they’re interconnected to generate hundreds of likes across multiple fake accounts. While Facebook actively removes these profiles, new ones appear just as quickly, making the cycle hard to break.

• SVG files can be dangerous if opened from untrusted sources.
• Attackers are using social media to make these scams appear legitimate.
• This campaign exploits curiosity and adult content as bait, but the same tactic could be applied to other lures.

How to protect yourself:

• Avoid downloading SVG or other files from unfamiliar websites.
• Keep your antivirus and browser security features enabled.
• Be wary of clicking links in social media posts that seem suspicious or sensational.
• Log out of Facebook when not in use to reduce potential damage from Like-jacking attacks.

Using SVGs for malware delivery isn’t new, but this campaign’s blend of stealthy code, social engineering, and social media manipulation makes it especially dangerous.

Featured image credit