Facebook users are unknowingly promoting shady posts after clicking booby-trapped images hidden deep inside dangerous SVG files on adult websites

Malicious SVG files are being weaponized to secretly like Facebook posts without user consent
Attackers hide obfuscated JavaScript in images to bypass detection and execute dangerous social media hijacks
Trojan.JS.Likejack silently boosts targeted Facebook posts by exploiting active sessions of unsuspecting victims

Security researchers have uncovered dozens of adult websites which are embedding malicious code inside Scalable Vector Graphics (.svg) files.

Unlike common image formats such as JPEG or PNG, SVG files use XML text to define images, which can include HTML and JavaScript.

This feature makes SVG suitable for interactive graphics but also opens the door for exploitation through attacks like cross-site scripting and HTML injection.

How the clickjacking attack works

Research from Malwarebytes found selected visitors to these websites encounter booby-trapped SVG images.

When clicked, the files run heavily obfuscated JavaScript code, sometimes using a hybrid version of a technique known as “JSFuck” to disguise the script’s true purpose.

Once decoded, the code downloads further JavaScript, ultimately deploying a payload identified as Trojan.JS.Likejack.

If the victim has a Facebook session open, the malware silently clicks “Like” on a targeted post without consent, boosting its visibility in social feeds.

The boost in visibility increases the chances that the targeted post will appear in more users’ feeds, effectively turning unsuspecting visitors into promoters without their knowledge.

The abuse of SVG files is not new. Two years ago, pro-Russian hackers exploited the format to carry out a cross-site scripting attack against Roundcube, a webmail platform used by millions.

More recently, phishing campaigns have used SVG files to open fake Microsoft login screens pre-filled with victims’ email addresses.

Researchers found many of these attacks originate from interconnected websites, often hosted on platforms like blogspot[.]com, and sometimes offering explicit celebrity images likely generated by artificial intelligence.

Facebook routinely shuts down accounts involved in such abuses, but those behind the campaigns often return with new profiles.

As more regions introduce age verification rules for adult content, some users may turn to less-regulated sites that deploy aggressive promotion tactics.

How to stay safe

The effect of this campaign goes beyond unwanted social media interactions. These tactics can be used for more harmful purposes, including identity theft or credential harvesting.

Experts recommend using updated security suites that can detect and block suspicious domains.

Also, ensure that your system has a properly configured firewall to prevent unauthorized data transfers.

Real-time protection can help identify threats before they execute, and awareness of file formats capable of running code is essential.

While using a VPN can help maintain privacy, it is not a substitute for strong endpoint protection and cautious online behavior.

Above all – be careful about what you click on the internet.

What's Hot

Xiaomi 16 and Xiaomi 16 Pro to get a big selfie camera upgrade

Save $100 on Surface Pro 12-inch

ChatGPT-5 Gives You Real Choices After All. Here’s a Quick Breakdown

How to silence auto-playing previews on the new Netflix app

More Than Just Free Shipping: Here Are 19 Underrated Amazon Prime Perks

Windows 11’s August patch fixes hiccups and rolls out remote recovery

Apple Pencil With ‘Trackball’ Tip, Ability to Draw on Any Surface Described in Patent Document

Samsung Galaxy Z Fold 7 and Galaxy Z Flip 7: First Impressions

The Bezos-funded climate satellite is lost in space

Most Popular

Best Fitbit fitness trackers and watches in 2025

There are still 200+ Prime Day 2025 deals you can get

The best earbuds we’ve tested for 2025

Our Picks