Facebook users are unknowingly promoting shady posts after clicking booby-trapped images hidden deep inside dangerous SVG files on adult websites

Malicious SVG files are being weaponized to secretly like Facebook posts without user consent
Attackers hide obfuscated JavaScript in images to bypass detection and execute dangerous social media hijacks
Trojan.JS.Likejack silently boosts targeted Facebook posts by exploiting active sessions of unsuspecting victims

Security researchers have uncovered dozens of adult websites which are embedding malicious code inside Scalable Vector Graphics (.svg) files.

Unlike common image formats such as JPEG or PNG, SVG files use XML text to define images, which can include HTML and JavaScript.

This feature makes SVG suitable for interactive graphics but also opens the door for exploitation through attacks like cross-site scripting and HTML injection.

How the clickjacking attack works

Research from Malwarebytes found selected visitors to these websites encounter booby-trapped SVG images.

When clicked, the files run heavily obfuscated JavaScript code, sometimes using a hybrid version of a technique known as “JSFuck” to disguise the script’s true purpose.

Once decoded, the code downloads further JavaScript, ultimately deploying a payload identified as Trojan.JS.Likejack.

If the victim has a Facebook session open, the malware silently clicks “Like” on a targeted post without consent, boosting its visibility in social feeds.

The boost in visibility increases the chances that the targeted post will appear in more users’ feeds, effectively turning unsuspecting visitors into promoters without their knowledge.

The abuse of SVG files is not new. Two years ago, pro-Russian hackers exploited the format to carry out a cross-site scripting attack against Roundcube, a webmail platform used by millions.

More recently, phishing campaigns have used SVG files to open fake Microsoft login screens pre-filled with victims’ email addresses.

Researchers found many of these attacks originate from interconnected websites, often hosted on platforms like blogspot[.]com, and sometimes offering explicit celebrity images likely generated by artificial intelligence.

Facebook routinely shuts down accounts involved in such abuses, but those behind the campaigns often return with new profiles.

As more regions introduce age verification rules for adult content, some users may turn to less-regulated sites that deploy aggressive promotion tactics.

How to stay safe

The effect of this campaign goes beyond unwanted social media interactions. These tactics can be used for more harmful purposes, including identity theft or credential harvesting.

Experts recommend using updated security suites that can detect and block suspicious domains.

Also, ensure that your system has a properly configured firewall to prevent unauthorized data transfers.

Real-time protection can help identify threats before they execute, and awareness of file formats capable of running code is essential.

While using a VPN can help maintain privacy, it is not a substitute for strong endpoint protection and cautious online behavior.

Above all – be careful about what you click on the internet.

What's Hot

Battlefield 6 devs promise massive map variety this weekend

Call of Duty: Black Ops 7 Leak Claims Nov. 14 Release Date, No Switch 2 Version Yet

9 Best Pillows (2025) Tested For Side, Back, and Stomach Sleepers

Back to School: How Teachers Can Use AI to Create Assignments Students Actually Want to Do

iPhone 17 Pro’s physical SIM card slot purportedly shown in leaked images

Lenovo Legion 5i review: Great performance, confusing pricing

Apple Pencil With ‘Trackball’ Tip, Ability to Draw on Any Surface Described in Patent Document

Samsung Galaxy Z Fold 7 and Galaxy Z Flip 7: First Impressions

The Bezos-funded climate satellite is lost in space

Most Popular

Best Fitbit fitness trackers and watches in 2025

There are still 200+ Prime Day 2025 deals you can get

The best earbuds we’ve tested for 2025

Our Picks