{
	"id": "59441e4e-34d2-488d-8438-c467cf90eb81",
	"created_at": "2026-04-06T01:31:46.643312Z",
	"updated_at": "2026-04-10T03:21:34.406041Z",
	"deleted_at": null,
	"sha1_hash": "359727de08ce12302ddcf7674375ff90df54acf8",
	"title": "New HTML Smuggling Attack Alert: Duri",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 492966,
	"plain_text": "New HTML Smuggling Attack Alert: Duri\r\nBy Krishnan Subramanian\r\nPublished: 2020-08-16 · Archived: 2026-04-06 01:02:44 UTC\r\nHTML smuggling campaign is stopped by the Menlo Security Cloud Platform\r\nMenlo Security has been closely monitoring an attack we are naming “Duri.” Duri leverages HTML smuggling to\r\ndeliver malicious files to users’ endpoints by evading network security solutions such as sandboxes and legacy\r\nproxies. Isolation prevents this attack from infecting the endpoint. Here’s what we know.\r\nWhat Is HTML Smuggling ?\r\nThe goal of HTML smuggling is to make use of HTML5/JavaScript features to deliver file downloads, and it\r\nusually comes in two flavors:\r\nDeliver the download via Data URLs on the client device.\r\nCreate a Javascript blob with the appropriate MIME-type that results in a download on the client device.\r\nIn this specific attack, we observed the JavaScript blob technique being used to smuggle malicious files via the\r\nbrowser to the user’s endpoint. Constructing content on the client browser like this evades network security\r\nsolutions such as sandboxes and proxies.\r\nWhat is Duri?\r\nAccording to our observations, the Duri campaign started in the beginning of July and is currently active. Earlier\r\nthis month, we identified a user’s visit to a website and subsequent file download, which was blocked because it\r\nwas suspicious. Upon investigation, we discovered that the file was downloaded through HTML\r\nsmuggling.Traditional network security solutions such as proxies, firewalls, and sandboxes rely on the transfer of\r\nobjects over the wire. For example, a sandbox might extract file objects such as .exe, .zip, and other suspicious\r\nobjects from the wire and then send them to the sandbox for detonation. With Duri, the entire payload is\r\nconstructed on the client side (browser), so no objects are transferred over the wire for the sandbox to inspect.\r\nWhat tactics does Duri use?\r\nThe malware that Duri downloads is not new. According to Cisco, it has previously been delivered via Dropbox,\r\nbut the attackers have now displaced Dropbox with other cloud hosting providers and have blended in the HTML\r\nsmuggling technique to infect endpoints. We speculate that this change in tactic is being used to increase the\r\nsuccess rate of compromised endpoints.\r\nLanding Page\r\nhttps://www.menlosecurity.com/blog/new-attack-alert-duri\r\nPage 1 of 7\n\nOnce the user clicks on the link, there are multiple levels of redirection before the user lands on an HTML page\r\nhosted on duckdns[.]org. The landing page invokes a JavaScript onload that initializes data for a blob object from\r\na base64 encoded variable as shown below.\r\nAs seen above, a ZIP file is dynamically constructed from the blob object with MIME type as octet/stream and is\r\ndownloaded to the endpoint. The user still needs to open the ZIP file and execute it.\r\nMalicious MSI Dropper\r\nThe ZIP archive contains an MSI file [T1218.007]. The .msi file extension indicates that the file is a Microsoft\r\nWindows installer and contains the application and all of its dependencies.unzip PUVG OKZAGE SBKZXONA\r\nETRWDDQGBL .zipArchive: PUVG OKZAGE SBKZXONA ETRWDDQGBL .zip inflating: PUVG OKZAGE\r\nSBKZXONA ETRWDDQGBL (869261) .msi file PUVG OKZAGE SBKZXONA ETRWDDQGBL (869261)\r\n.msiPUVG OKZAGE SBKZXONA ETRWDDQGBL (869261) .msi: Composite Document File V2 Document,\r\nLittle Endian, Os: Windows.Examining the MSI file shows that there is an execute script code action defined in\r\nthe custom action of the MSI contents:\r\nMicrosoft JSCRIPT Analysis\r\nhttps://www.menlosecurity.com/blog/new-attack-alert-duri\r\nPage 2 of 7\n\nThe embedded JSCRIPT is obfuscated, and it performs the following actions upon invoke:\r\nFetches a ZIP file from a remote location: hxxp://104[.]214[.]115[.]159/mod/input20[.]jpg\r\nThe extension in the URL is .jpg, but it is a ZIP file.\r\nThe ZIP file is downloaded to the Public Documents folder and two files are extracted from the ZIP\r\narchive: Avira.exe and rundll.exe.\r\nThe Avira.exe file is renamed to a randomly named EXE file. The rundll.exe file is renamed to a randomly\r\nnamed file with a .bmp extension.\r\nA LNK file gets created in the %appdata% (roaming) folder, and the target of the LNK file is set to a\r\nrandomly renamed Avira.exe file [T1547.009].\r\nIt achieves persistence by creating an autorun key for the above LNK file [T1547.001].\r\nThe final command that gets run is [T1059.001]:\r\npowershell.exe cd;cd 'C:UsersJohn SmithAppDataRoamingMicrosoftWindowsStart\r\nMenuProgramsStartup';Start-Sleep -s 60;Start-Process 'YOUXQNWXME.lnk'\r\nThe extracted Avira.exe file was a signed ~500MB file from Avira, which was present with a rundll.exe,\r\nand there was no evidence of process injection or side-loading techniques observed that could be used to\r\nfurther analyze and examine the behavior.\r\nHow does Menlo Security get visibility into Duri?\r\nWhile traditional security solutions rely on a detect-and-respond approach to cybersecurity, Menlo enables a Zero\r\nTrust approach by forcing a block-or-isolate decision at the point of click. All content is fetched and executed in a\r\nremote browser and is cut off from the endpoint, while only safe mirrored content reaches the user’s device. This\r\nprevents malware from accessing the endpoint.Campaigns like Duri, in which JavaScript is used to\r\nprogrammatically and dynamically generate the malicious payload, cannot evade the Menlo platform.\r\nDownloading files via Menlo is a two-step process. Every file download in the isolated browser triggers a unique\r\nhttps://www.menlosecurity.com/blog/new-attack-alert-duri\r\nPage 3 of 7\n\nevent on our platform—whether it's because of a DataURL, a JavaScript blob download, or a link. As a result, the\r\nMenlo platform enables enhanced visibility into the contents of every file.Attackers are constantly tweaking their\r\ntactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond\r\napproach to always play catch-up. We believe HTML smuggling is one such technique that will be incorporated\r\ninto the attackers’ arsenal and used more often to deliver the payload to the endpoint without network solutions\r\nblocking it. Menlo’s isolation approach prevents all content from reaching the endpoint—effectively blocking all\r\nmalware without impacting the native user experience. It’s security without compromise.\r\nAppendix\r\nReferences:\r\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs\r\nhttps://developer.mozilla.org/en-US/docs/Web/API/Blob\r\nhttps://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts/\r\nIOC—URLs\r\nhxxp://huzirh.com/hidrol/\r\nhxxp://isocamprh.com.br/\r\nhxxp://hxxp.plasticospr.com/webmailgrupo?nzn11t6c68b5k40ry31c903ez3xaq/formulario_correios_37.pdf\r\nhxxp://gmpbusdoor.com/\r\nhxxp://hxxp.isocamprh.com.br/incolajes\r\nhxxp://iboxrh.com/consultoriarh?1e0wq712tctv0232v000lnjsn4c7a/boleto.3673.pdf\r\nhxxp://www.isocamprh.com.br/incolajes\r\nhxxp://hxxp.isocamprh.com.br/incolajes/\r\nhxxp://isocamprh.com.br/incolajes?page=boletos\u0026idBoleto=8868\r\nhxxp://hxxp.westermarh.com/waycompany?WhatsApp_Historico_de_Conversas?whatsapphistorico/index.html?\r\nvisualizar=c06e8cf10aeaf00c33360d2b2bfb6792\r\nhxxp://hxxp.grentrepostorh.com/\r\nhxxp://update-completo.com/\r\nhxxp://plasticospr.com/webmailgrupo?fotoswhatsapps/Imagem.htmldigitaloceanspaces.com/Fotos.html\r\nhttps://www.menlosecurity.com/blog/new-attack-alert-duri\r\nPage 4 of 7\n\nhxxp://ultrafarmarh.com/transglobal?WhatsApp_Historico_de_Conversas?whatsapphistorico/index.html?\r\nvisualizar=c06e8cf10aeaf00c33360d2b2bfb6792\r\nhxxp://hidrolrh.com/\r\nhxxp://hxxp.casadaembalagemriopreto.com/officeclean?\r\nNZN11T6C68B5K40RY31C903EZ3XAQ/Formulario_Correios_37.pdf\r\nhxxp://www.fjpconstrucoes.com/predilecta\r\nhxxp://grentrepostorh.com/webmailgrupo?page=boletos\u0026amp;idBoleto=8868\r\nhxxp://casadaembalagemriopreto.com/officeclean?\r\nPU106006743Z5QP2SL6RC00CT2330/Boletim_Registrado38361526.pdf\r\nhxxp://grjseguros.com/\r\nhxxp://hxxp.huzirh.com/hidrol?page=boletos\u0026amp;idBoleto=8868\r\nhxxp://usinasalgado.com/contabilidadecnt\r\nhxxp://westermarh.com/\r\nhxxp://www.fjpconstrucoes.com/predilecta\r\nhxxp://fjpconstrucoes.com/\r\nhxxp://www.graphiczonerh.com/mobile?WhatsApp_Historico_de_Conversas?whatsapphistorico/index.html?\r\nvisualizar=c06e8cf10aeaf00c33360d2b2bfb6792\r\nhxxp://www.westermarh.com/waycompany?WhatsApp_Historico_de_Conversas?whatsapphistorico/index.html?\r\nvisualizar=c06e8cf10aeaf00c33360d2b2bfb6792\r\nhxxp://www.iboxrh.com/\r\nhxxp://westermarh.com/waycompany?WhatsApp_Historico_de_Conversas?whatsapphistorico/index.html?\r\nvisualizar=c06e8cf10aeaf00c33360d2b2bfb6792\r\nhxxp://hxxp.grjseguros.com/\r\nhxxp://grentrepostorh.com/\r\nhxxp://hxxp.continentalnetrh.com/tbvc?get-facebook-verified/get-facebook-verified.html\r\nhxxp://hxxp.westermarh.com/waycompany\r\nhxxp://hxxp.fachiniengenharia.com/predilecta\r\nhxxp://gmpbusdoor.com/furnax\r\nhttps://www.menlosecurity.com/blog/new-attack-alert-duri\r\nPage 5 of 7\n\nhxxp://hxxp.plasticospr.com/webmailgrupo?\r\nNZN11T6C68B5K40RY31C903EZ3XAQ/Formulario_Correios_37.pdf\r\nhxxp://hxxp.update-completo.com/consultrh?page=boletos\r\nhxxp://www.grentrepostorh.com/webmailgrupo\r\nhxxp://www.fjpconstrucoes.com/\r\nhxxp://hxxp.fachiniengenharia.com/predilecta?\r\nNZN11T6C68B5K40RY31C903EZ3XAQ/Formulario_Correios_37.pdf\r\nhxxp://fjpconstrucoes.com/predilecta\r\nhxxp://www.versatilsegurosrh.com/vbimport?woa/rest/Faturamento/v1/faturadigital/visualizar?data-vencimento\r\nhxxp://fjpconstrucoes.com/predilecta\r\nhxxp://www.laboratrh.com/contabilidadecnt?page=boletos\u0026idBoleto=8868\r\nhxxp://fachiniengenharia.com/predilecta\r\nhxxp://hxxp.hidrolrh.com/heimatschutz\r\nhxxp://fjpconstrucoes.com/predilecta?page=boletos\u0026idBoleto=8868\r\nhxxps://iboxrh.com/\r\nhxxp://fachiniengenharia.com/predilecta?page=boletos\u0026idBoleto=8868\r\nhxxp://grjseguros.com/grjseguros?PU106006743Z5QP2SL6RC00CT2330/Boletim_Registrado38361526.pdf\r\nhxxp://continentalnetrh.com/tbvc?get-facebook-verified/get-facebook-verified.html\r\nhxxp://grentrepostorh.com/webmailgrupo\r\nhxxp://isocamprh.com.br/incolajes?page=boletos\u0026amp\r\nhxxp://hxxp.westermarh.com/\r\nhxxp://fachiniengenharia.com/predilecta?page=boletos\u0026idBoleto=8868\r\nhxxp://hidrolrh.com/heimatschutz\r\nhxxp://bustvch.com/\r\nhxxp://hxxp.grentrepostorh.com/webmailgrupo?\r\nPU106006743Z5QP2SL6RC00CT2330/Boletim_Registrado38361526.pdf\r\nhxxp://isocamprh.com.br/incolajes?page=boletos\u0026amp;idBoleto=8868\r\nhttps://www.menlosecurity.com/blog/new-attack-alert-duri\r\nPage 6 of 7\n\nhxxp://fjpconstrucoes.com/predilecta?page=boletos\u0026amp;idBoleto=8868\r\nhxxp://casadaembalagemriopreto.com/\r\nhxxp://hxxp.bustvch.com/\r\nhxxp://iboxrh.com/\r\nhxxp://hxxp.fjpconstrucoes.com/predilecta?\r\nPU106006743Z5QP2SL6RC00CT2330/Boletim_Registrado38361526.pdf\r\nhxxp://www.continentalnetrh.com/tbvc?WhatsApp_Historico_de_Conversas?whatsapphistorico/index.html?\r\nvisualizar=c06e8cf10aeaf00c33360d2b2bfb6792\r\nhxxp://bustvch.com/adinoxrs\r\nhxxp://hxxp.ultrafarmarh.com/transglobal?WhatsApp_Historico_de_Conversas?whatsapphistorico/index.html?\r\nvisualizar=c06e8cf10aeaf00c33360d2b2bfb6792\r\nhxxp://hxxp.update-completo.com/consultrh?page=boletos\u0026idBoleto=8868\r\n  hxxp://hxxp.casadaembalagemriopreto.com/\r\nSource: https://www.menlosecurity.com/blog/new-attack-alert-duri\r\nhttps://www.menlosecurity.com/blog/new-attack-alert-duri\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.menlosecurity.com/blog/new-attack-alert-duri"
	],
	"report_names": [
		"new-attack-alert-duri"
	],
	"threat_actors": [],
	"ts_created_at": 1775439106,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/359727de08ce12302ddcf7674375ff90df54acf8.pdf",
		"text": "https://archive.orkl.eu/359727de08ce12302ddcf7674375ff90df54acf8.txt",
		"img": "https://archive.orkl.eu/359727de08ce12302ddcf7674375ff90df54acf8.jpg"
	}
}