Wednesday, April 23, 2025
HomeCyber Security NewsBeware of the New 'Blank Image' Attack that Hides Malicious Scripts in...

Beware of the New ‘Blank Image’ Attack that Hides Malicious Scripts in Image Files

Published on

SIEM as a Service

Follow Us on Google News

Avanan researchers have seen a new attack dubbed “Blank Image” spreading throughout the globe wherein hackers include blank images in HTML attachments. When opening the attachment, the user is automatically redirected to a malicious URL.

This email campaign begins with a document that purports to be from DocuSign, this appears to be very legitimate. The user is requested to review and sign the document after it is provided straight to them.

The link to DocuSign will take you to the official DocuSign website. The chain of actions started by the hackers begins when you click on the HTM attachment.

- Advertisement - Google News
https://lh5.googleusercontent.com/6V_fOkDPnOPlY-ofJhFZ6bax6IZonUp8CcGxq9kp9txrId-yqDwmOgPsW8oAnGAceEKhLBBXwzg7iVvWH0Ohxh9iL84dhVPhgy92-TuHxlB1cdUpuIp1hKaces1tVecebtLLvjCShtBXQK75BfU5ig6ogcAbnxNmeNDXDb7-DbBQUWORr3JSGvQchuIpEA
Email used in the phishing campaign

A victim is directed to a legitimate DocuSign webpage if they click the “View Completed Document” button. However, the “Blank Image” assault is launched if they try to open the HTML attachment.

The HTML document includes a Base64-encoded SVG image with embedded JavaScript code that automatically reroutes the victim to the malicious URL.

Content of the HTML file

Since the SVG image does not contain any graphics or shapes, nothing is displayed on the screen. Simply serving as a placeholder for the malicious script is all it does.

Deobfuscated SVG code featuring a circle element that has no parameters (empty)
Deobfuscated SVG code featuring a circle element that has no parameters

“The hackers are hiding the malicious URL inside an empty image to bypass traditional scanning services”, Avanan.

The JavaScript embedded in the SVG image is executed when it is displayed by an HTML document using a <embed> or <iframe> tag.

Researchers say the SVG is blank in this DocuSign-themed campaign. Although the victim doesn’t see anything on their screen, the URL redirect code is still active.

“This is an innovative way to obfuscate the true intent of the message. It bypasses VirusTotal and doesn’t even get scanned by traditional Click-Time Protection”, researchers 

By layering obfuscation upon obfuscation, most security services are helpless against these attacks”

Therefore, any email with an HTML or.htm attachment should be avoided. Administrators ought to think about blocking HTML attachments and handling them similarly to executables (.exe, .cab).

Network Security Checklist – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploit Cloudflare Tunnel Infrastructure to Deploy Multiple Remote Access Trojans

The Sekoia TDR (Threat Detection & Research) team has reported on a sophisticated network...

Threat Actors Leverage npm and PyPI with Impersonated Dev Tools for Credential Theft

The Socket Threat Research Team has unearthed a trio of malicious packages, two hosted...

Hackers Exploit Legitimate Microsoft Utility to Deliver Malicious DLL Payload

Hackers are now exploiting a legitimate Microsoft utility, mavinject.exe, to inject malicious DLLs into...

Cybercriminals Exploit Network Edge Devices to Infiltrate SMBs

Small and midsized businesses (SMBs) continue to be prime targets for cybercriminals, with network...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Cloudflare Tunnel Infrastructure to Deploy Multiple Remote Access Trojans

The Sekoia TDR (Threat Detection & Research) team has reported on a sophisticated network...

Threat Actors Leverage npm and PyPI with Impersonated Dev Tools for Credential Theft

The Socket Threat Research Team has unearthed a trio of malicious packages, two hosted...

Hackers Exploit Legitimate Microsoft Utility to Deliver Malicious DLL Payload

Hackers are now exploiting a legitimate Microsoft utility, mavinject.exe, to inject malicious DLLs into...