{
	"id": "17cabd48-53c3-4ac3-b174-42aad34561b1",
	"created_at": "2026-04-06T00:15:58.719755Z",
	"updated_at": "2026-04-10T13:12:45.964633Z",
	"deleted_at": null,
	"sha1_hash": "19667fefe16db8fe93d094da0b476bbaa5ddeab4",
	"title": "HTML Smuggling and GitHub Hosted Malware TechBlog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 187312,
	"plain_text": "HTML Smuggling and GitHub Hosted Malware TechBlog\r\nBy Karsten Hahn\r\nPublished: 2019-05-09 · Archived: 2026-04-05 18:26:43 UTC\r\n05/09/2019\r\nReading time: 2 min (555 words)\r\nSometimes we see odd stuff, like malware that employs a technique called \"HTML Smuggling\". Also, malware on GitHub\r\nseems to be a thing these days.\r\n\"That's strange...\"\r\nMany important discoveries do not start with a shouting of „Eureka” anymore, as they did in the days of old. Instead, the\r\nmost intriguing bits of modern research will at some point contain the phrase “That’s strange…”, followed by more\r\nprodding and poking and – hopefully – a lightbulb moment. This series that we call \"Strange Bits\" contains many findings\r\nthat struck our analysts as odd, either because they do not seem to make any sense at the time or because a malicious\r\nprogram exhibits behaviors that none of us have seen before. Maybe these findings will spark ideas in other fellow\r\nresearchers – maybe those findings are just what it says on the tin: Strange….\r\nDanaBot loader uses HTML smuggling\r\nThis email has an unusual way to store contained malware. The email[1] displays polish text which prompts the user to\r\nclick on a download link. The translated text says \"This file can not be previewed. You can download the file.\"\r\nThe \u003ca\u003e tag for this link has a download attribute with the name of the dropped ZIP archive: dokumentacja_28380.zip[2].\r\nHowever, the referenced data in the href attribute is not downloaded from a URL but saved as a base64 string using the\r\ndata URI scheme. This is also called HTML smuggling (thanks to Rich Warren who gave me a hint to the blog post).\r\nhttps://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github\r\nPage 1 of 5\n\nThe dropped ZIP archive contains a file named dokumentacja_28380.vbe[3]\r\n. Despite its file extension it is not encoded\r\nbut a plain VBScript. The obfuscated script retrieves a PowerShell command which downloads DanaBot[4] to the\r\n%TEMP% folder and executes it.\r\nhttps://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github\r\nPage 2 of 5\n\nGitHub repositories host coinminer malware and settings as base64 strings\r\nThe GitHub user errorsysteme and their repositories were taken down after G DATA researchers discovered that they\r\nhosted malware. The repositories were discovered via a downloader sample[5].\r\nThe user has two repositories, both contain text files with base64 strings of PE binaries and configuration files. The\r\nrepository wask only contains a file named data_lssas[6]. This file is downloaded and executed intially and will in turn\r\nobtain and install files and settings from the base repository.\r\nThe PE files named WerFault64[7] and WerFault86[8] are modified versions of the Non-Sucking Service Manager\r\n(NSSM). The file properties and icons have been changed to imitate Microsoft's actual WerFault.exe which is used for error\r\nreporting. The modified NSSM is used to install malware as service on the system.\r\nA file named parameters contains the settings for the coinminer malware.\r\nhttps://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github\r\nPage 3 of 5\n\nThe actual coinminer is the files data_cash64[9] and data_cash86[10]\r\n in the base repository.\r\nReferenced Samples\r\nDescription Filename SHA256\r\n[1]\r\nDanaBot\r\nLoader\r\nEmail\r\n  dde37964ab9f749e1c48a88202ad6c5fd03bd2c82e67736e42fc02fe912be6ba\r\n[2]\r\nDanaBot\r\nLoader ZIP\r\narchive\r\ndokumentacja_28380.zip f4d1a4ce0ad334b31aa444ab9ced0d9d1eb581f889f3dbcfc1050eea474ad3cf\r\n[3]\r\nDanaBot\r\nLoader\r\nVBScript\r\ndokumentacja_28380.vbe 0222fecff6c56e7af6f1502328478283c46e7a243ef2edcac466c2acda5e3eb9\r\n[4]\r\nDanaBot\r\nPayload\r\nDbBf bfce42e325a9b999d1630a7ccc27ac8260104fb47bfc768637e2a2a687b65855\r\n[5] Initial\r\nGitHub\r\nmalware\r\ndownloader\r\n  4b4c45569b1b7c3c114a633ec0a54864cd91fd99bea2645803d23e78f9fcd81c\r\n[6] GitHub\r\ndownloader\r\nin wask\r\nrepository\r\ndata_lssas 0075b6e78cebc1ed63a495918620aa7220ddabf7c9e501bc840d724ce930d2d3\r\n[7]\r\nModified\r\nWerFault64 3335ec57681b238846e0d19a3459dc739d11dfaf36722b7f19e609a96b97ad92\r\nhttps://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github\r\nPage 4 of 5\n\nDescription Filename SHA256\r\nNSSM 64\r\nbit version\r\n[8]\r\nModified\r\nNSSM 32\r\nbit version\r\nWerFault86 2f979194413c1b40a9d11bc4031d1672cd445d64b60343f6d308e4df0d2bdc6b\r\n[9]\r\nCoinminer\r\n64 bit\r\nversion\r\ndata_cash64 c3d982038039828f201a93b323b2b76f8e0db20a81aee89334afa22a4c83f36f\r\n[10]\r\nCoinminer\r\n32 bit\r\nversion\r\ndata_cash86 8521c866fd37499631e6e1b0902a21e555e565d609bb6e2402eb86dec8743fa9\r\nShare Article\r\n Content\r\n\"That's strange...\"\r\nDanaBot loader uses HTML smuggling\r\nGitHub repositories host coinminer malware and settings as base64 strings\r\nReferenced Samples\r\nSource: https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github\r\nhttps://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github\r\nPage 5 of 5\n\n  https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github     \nThe dropped ZIP archive contains a file named dokumentacja_28380.vbe[3]  . Despite its file extension it is not encoded\nbut a plain VBScript. The obfuscated script retrieves a PowerShell command which downloads DanaBot[4] to the\n%TEMP% folder and executes it.     \n   Page 2 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github"
	],
	"report_names": [
		"31695-strange-bits-smuggling-malware-github"
	],
	"threat_actors": [],
	"ts_created_at": 1775434558,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/19667fefe16db8fe93d094da0b476bbaa5ddeab4.pdf",
		"text": "https://archive.orkl.eu/19667fefe16db8fe93d094da0b476bbaa5ddeab4.txt",
		"img": "https://archive.orkl.eu/19667fefe16db8fe93d094da0b476bbaa5ddeab4.jpg"
	}
}