Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Microsoft Says HTML Smuggling Attacks On The Rise

Microsoft says it has observed an increase in the use of HTML smuggling in malicious attacks distributing remote access Trojans (RATs), banking malware, and other malicious payloads.

Microsoft says it has observed an increase in the use of HTML smuggling in malicious attacks distributing remote access Trojans (RATs), banking malware, and other malicious payloads.

HTML smuggling leverages HTML5/JavaScript for the download of files onto a victim machine, which in this case of these attacks is an encoded malicious script designed to assemble the final payload directly on the victim computer.

Phishing emails are used to either deliver specially crafted HTML attachments or to direct the intended victim to a web page malicious page designed to smuggle the script.

Microsoft said it observed the Chinese threat actor NOBELIUM leveraged the technique in a series of attacks in May, and is now seeing the same method being used to deliver AsyncRAT/NJRAT, Trickbot, and the banking Trojan Mekotio.

Because the malicious payload is built behind the firewall, the technique allows adversaries to easily bypass standard perimeter security controls that check network traffic for suspicious attachments or patterns.

“Because the malicious files are created only after the HTML file is loaded on the endpoint through the browser, what some protection solutions only see at the onset are benign HTML and JavaScript traffic, which can also be obfuscated to further hide their true purpose,” Microsoft said.

[ Related: Ongoing Campaign Uses HTML Smuggling for Malware Delivery ]

The tech giant said it observed HTML smuggling being used in attacks against banking users in Brazil, Mexico, Spain, Peru, and Portugal, where adversaries were looking to infect victim systems with either Mekotio or Ousaban.

The technique is also making its way into the arsenal of sophisticated threat actors, such as NOBELIUM.

In July and August, adversaries employed HTML smuggling to deliver remote access Trojans (RATs) such as AsyncRAT/NJRAT, while in September the method was used to deploy Trickbot, likely by DEV-0193an emerging financially motivated cybercrime ring.

The threat actor mainly targets healthcare and education organizations, and shows close connections with ransomware operators, such as those behind Ryuk. DEV-0193 seeks to compromise organizations to sell unauthorized access to ransomware operators.

Disabling JavaScript could prevent such attacks, but that option might not be viable within enterprise environments, where business-related pages and other legitimate resources depend on JavaScript. Thus, a multi-layered defensive approach is recommended.

Related: Ongoing Campaign Uses HTML Smuggling for Malware Delivery

Related: IcedID Trojan Operators Experimenting With New Delivery Methods

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.