- Malicious SVG files are being weaponized to secretly like Facebook posts without user consent
- Attackers hide obfuscated JavaScript in images to bypass detection and execute dangerous social media hijacks
- Trojan.JS.Likejack silently boosts targeted Facebook posts by exploiting active sessions of unsuspecting victims
Security researchers have uncovered dozens of adult websites which are embedding malicious code inside Scalable Vector Graphics (.svg) files.
Unlike common image formats such as JPEG or PNG, SVG files use XML text to define images, which can include HTML and JavaScript.
This feature makes SVG suitable for interactive graphics but also opens the door for exploitation through attacks like cross-site scripting and HTML injection.
How the clickjacking attack works
Research from Malwarebytes found selected visitors to these websites encounter booby-trapped SVG images.
When clicked, the files run heavily obfuscated JavaScript code, sometimes using a hybrid version of a technique known as “JSFuck” to disguise the script’s true purpose.
Once decoded, the code downloads further JavaScript, ultimately deploying a payload identified as Trojan.JS.Likejack.
If the victim has a Facebook session open, the malware silently clicks “Like” on a targeted post without consent, boosting its visibility in social feeds.
The boost in visibility increases the chances that the targeted post will appear in more users’ feeds, effectively turning unsuspecting visitors into promoters without their knowledge.
The abuse of SVG files is not new. Two years ago, pro-Russian hackers exploited the format to carry out a cross-site scripting attack against Roundcube, a webmail platform used by millions.
More recently, phishing campaigns have used SVG files to open fake Microsoft login screens pre-filled with victims’ email addresses.
Researchers found many of these attacks originate from interconnected websites, often hosted on platforms like blogspot[.]com, and sometimes offering explicit celebrity images likely generated by artificial intelligence.
Facebook routinely shuts down accounts involved in such abuses, but those behind the campaigns often return with new profiles.
As more regions introduce age verification rules for adult content, some users may turn to less-regulated sites that deploy aggressive promotion tactics.
How to stay safe
The effect of this campaign goes beyond unwanted social media interactions. These tactics can be used for more harmful purposes, including identity theft or credential harvesting.
Experts recommend using updated security suites that can detect and block suspicious domains.
Also, ensure that your system has a properly configured firewall to prevent unauthorized data transfers.
Real-time protection can help identify threats before they execute, and awareness of file formats capable of running code is essential.
While using a VPN can help maintain privacy, it is not a substitute for strong endpoint protection and cautious online behavior.
Above all – be careful about what you click on the internet.
