Embedded Code Attacks by File Type
Prevalence of malware in multimedia files (2023-2025)
Source: Multiple security vendor analyses (2023-2025)
Introduction: Multimedia as a Hidden Attack Surface
In recent years, attackers have turned everyday image, video, and office files into stealthy malware delivery mechanisms. Formats that once seemed benign—SVG, JPEG, PNG, and even video files—are being abused to hide malicious code, launch ransomware, or steal user credentials. Organizations and individuals must now rethink how they handle and trust digital media in emails, websites, and chats.
Examples: Real-World Attacks in 2025 the Threat Surface
- SVG Files with Embedded Malware
Attackers in 2024–2025 increasingly used SVG image attachments to deliver malware like XWorm RAT and Agent Tesla keylogger. Leveraging tools such as AutoSmuggle, adversaries hide malicious JavaScript or external links inside the image file’s XML structure. These malicious SVGs, when rendered by a vulnerable browser or email client, can redirect victims to phishing sites or execute malicious code.cybersecasia - JPEG/PNG Images as Ransomware Carriers
Ransomware campaigns in 2025 used steganography to hide executable code within the pixels or metadata of JPEG images. A seemingly harmless photo, distributed via phishing email, triggers a hidden script when opened with a compromised viewer—leading to rapid device encryption and data loss.lepide - Malformed DNG and Video Files
Advanced campaigns exploited malformed DNG (Digital Negative) image files, which carried ZIP archives containing spyware. For example, the LANDFALL spyware used a Samsung Galaxy zero-day (CVE-2025-21042) to execute code on devices just by processing a received image, often distributed via messaging apps like WhatsApp.unit42.paloaltonetworks+1 - Interactive Office Files with Macros or Embedded Scripts
MHTML or DOCX files with embedded scripts/macro payloads continue to evade signature-based scanners, often requiring dynamic analysis to detect multi-stage attacks.
How Attackers Evade Detection
Attackers exploit:
- Obscure image/video formats and metadata to store payloads.
- Known vulnerabilities in media parsers (like the Samsung image-processing library exploited by LANDFALL).
- The trust users place in common content types to bypass basic security awareness training.
Many attacks use multi-stage payloads or encrypted archives inside images, only unpacking and activating if a user follows a precise sequence of steps.
Prevention Strategies
- Disable unnecessary scripting in office and media applications.
- Inspect inbound content with deep-content analysis such CDR file sanitization technology and behavioral sandboxes.
- Regularly patch and update media libraries and viewer tools.
Chart: Prevalence of Embedded Code Attacks by File Type (2023–2025)
File Type | % of Analyzed Malware Samples |
SVG (Image/Vector) | 29% |
JPEG (Image) | 18% |
PNG (Image) | 12% |
Office Files (DOCX, MHTML) | 23% |
Video (WMV, MP4) | 10% |
Audio (MP3/WAV) | 8% |
