{
	"id": "61aa8e10-ec42-4dd7-8766-f8a14746635e",
	"created_at": "2026-04-10T03:21:55.579794Z",
	"updated_at": "2026-04-10T13:12:37.954705Z",
	"deleted_at": null,
	"sha1_hash": "79b299f779313b3c2143e61280d1b95b0197243d",
	"title": "HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 891851,
	"plain_text": "HTML smuggling surges: Highly evasive loader technique\r\nincreasingly used in banking malware, targeted attacks\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-11-11 · Archived: 2026-04-10 02:48:17 UTC\r\nHTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript\r\nfeatures, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and\r\nother payloads related to targeted attacks. Notably, this technique was observed in a spear-phishing campaign from\r\nthe threat actor NOBELIUM in May. More recently, we have also seen this technique deliver the banking Trojan\r\nMekotio, as well as AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected\r\ndevices and deliver ransomware payloads and other threats.\r\nAs the name suggests, HTML smuggling lets an attacker “smuggle” an encoded malicious script within a specially\r\ncrafted HTML attachment or web page. When a target user opens the HTML in their web browser, the browser\r\ndecodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a\r\nmalicious executable pass directly through a network, the attacker builds the malware locally behind a firewall.\r\nFigure 1. HTML smuggling overview\r\nThis technique is highly evasive because it could bypass standard perimeter security controls, such as web proxies\r\nand email gateways, that often only check for suspicious attachments (for example, EXE, ZIP, or DOCX) or traffic\r\nhttps://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/\r\nPage 1 of 10\n\nbased on signatures and patterns. Because the malicious files are created only after the HTML file is loaded on the\r\nendpoint through the browser, what some protection solutions only see at the onset are benign HTML and\r\nJavaScript traffic, which can also be obfuscated to further hide their true purpose.\r\nThreats that use HTML smuggling bank on the legitimate uses of HTML and JavaScript in daily business\r\noperations in their attempt to stay hidden and relevant, as well as challenge organizations’ conventional mitigation\r\nprocedures. For example, disabling JavaScript could mitigate HTML smuggling created using JavaScript Blobs.\r\nHowever, JavaScript is used to render business-related and other legitimate web pages. In addition, there are\r\nmultiple ways to implement HTML smuggling through obfuscation and numerous ways of coding JavaScript,\r\nmaking the said technique highly evasive against content inspection. Therefore, organizations need a true “defense\r\nin depth” strategy and a multi-layered security solution that inspects email delivery, network activity, endpoint\r\nbehavior, and follow-on attacker activities.\r\nThe surge in the use of HTML smuggling in email campaigns is another example of how attackers keep refining\r\nspecific components of their attacks by integrating highly evasive techniques. Microsoft Defender for Office 365\r\nstops such attacks at the onset using dynamic protection technologies, including machine learning and\r\nsandboxing, to detect and block HTML-smuggling links and attachments. Email threat signals from Defender for\r\nOffice 365 also feed into Microsoft 365 Defender, which provides advanced protection on each domain—email\r\nand data, endpoints, identities, and cloud apps—and correlates threat data from these domains to surface evasive,\r\nsophisticated threats. This provides organizations with comprehensive and coordinated defense against the end-to-end attack chain.\r\nThis blog entry details how HTML smuggling works, provides recent examples of threats and targeted attack\r\ncampaigns that use it, and enumerates mitigation steps and protection guidance.\r\nHow HTML smuggling works\r\nHTML smuggling uses legitimate features of HTML5 and JavaScript, which are both supported by all modern\r\nbrowsers, to generate malicious files behind the firewall. Specifically, HTML smuggling leverages the HTML5\r\n“download” attribute for anchor tags, as well as the creation and use of a JavaScript Blob to put together the\r\npayload downloaded into an affected device.\r\nIn HTML5, when a user clicks a link, the “download” attribute lets an HTML file automatically download a file\r\nreferenced in the “href” tag. For example, the code below instructs the browser to download “malicious.docx”\r\nfrom its location and save it into the device as “safe.docx”:\r\nThe anchor tag and a file’s “download” attribute also have their equivalents in JavaScript code, as seen below:\r\nhttps://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/\r\nPage 2 of 10\n\nThe use of JavaScript Blobs adds to the “smuggling” aspect of the technique. A JavaScript Blob stores the\r\nencoded data of a file, which is then decoded when passed to a JavaScript API that expects a URL. This means\r\nthat instead of providing a link to an actual file that a user must manually click to download, the said file can be\r\nautomatically downloaded and constructed locally on the device using JavaScript codes like the ones below:\r\nToday’s attacks use HTML smuggling in two ways: the link to an HTML smuggling page is included within the\r\nemail message, or the page itself is included as an attachment. The following section provides examples of actual\r\nthreats we have recently seen using either of these methods.\r\nReal-world examples of threats using HTML smuggling\r\nHTML smuggling has been used in banking malware campaigns, notably attacks attributed to DEV-0238 (also\r\nknown as Mekotio) and DEV-0253 (also known as Ousaban), targeting Brazil, Mexico, Spain, Peru, and Portugal.\r\nIn one of the Mekotio campaigns we’ve observed, attackers sent emails with a malicious link, as shown in the\r\nimage below.\r\nhttps://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/\r\nPage 3 of 10\n\nFigure 2. Sample email used in a Mekotio campaign. Clicking the link starts the HTML smuggling technique.\r\nFigure 3. Threat behavior observed in the Mekotio campaign\r\nIn this campaign, a malicious website, hxxp://poocardy[.]net/diretorio/, is used to implement the HTML\r\nsmuggling technique and drop the malicious downloader file. The image below shows an HTML smuggling page\r\nwhen rendered on the browser.\r\nhttps://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/\r\nPage 4 of 10\n\nFigure 4. HTML smuggling page of the Mekotio campaign. Note how the “href” tag references a JavaScript Blob\r\nwith an octet/stream type to download the malicious ZIP file.\r\nIt should be noted that this attack attempt relies on social engineering and user interaction to succeed. When a user\r\nclicks the emailed hyperlink, the HTML page drops a ZIP file embedded with an obfuscated JavaScript file.\r\nFigure 5. ZIP file with an obfuscated JavaScript file\r\nWhen the user opens the ZIP file and executes the JavaScript, the said script connects to\r\nhxxps://malparque[.]org/rest/restfuch[.]png and downloads another ZIP file that masquerades as a PNG file. This\r\nsecond ZIP file contains the following files related to DAEMON Tools:\r\nsptdintf.dll – This is a legitimate file. Various virtual disc applications, including DAEMON Tools and\r\nAlcohol 120%, use this dynamic-link library (DLL) file.\r\nimgengine.dll – This is a malicious file that is either Themida-packed or VMProtected for obfuscation. It\r\naccesses geolocation information of the target and attempts credential theft and keylogging.\r\nAn executable file with a random name, which is a renamed legitimate file “Disc Soft Bus Service Pro.”\r\nThis legitimate file is part of DAEMON Tools Pro and loads both DLLs.\r\nFinally, once the user runs the primary executable (the renamed legitimate file), it launches and loads the\r\nmalicious DLL via DLL sideloading. As previously mentioned, this DLL file is attributed to Mekotio, a malware\r\nfamily of banking Trojans typically deployed on Windows systems that have targeted Latin American industries\r\nsince the latter half of 2016.\r\nhttps://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/\r\nPage 5 of 10\n\nHTML smuggling in targeted attacks\r\nBeyond banking malware campaigns, various cyberattacks—including more sophisticated, targeted ones—\r\nincorporate HTML smuggling in their arsenal. Such adoption shows how tactics, techniques, and procedures\r\n(TTPs) trickle down from cybercrime gangs to malicious threat actors and vice versa. It also reinforces the current\r\nstate of the underground economy, where such TTPs get commoditized when deemed effective.\r\nFor example, in May, Microsoft Threat Intelligence Center (MSTIC) published a detailed analysis of a new\r\nsophisticated email attack from NOBELIUM. MSTIC noted that the spear-phishing email used in that campaign\r\ncontained an HTML file attachment, which, when opened by the targeted user, uses HTML smuggling to\r\ndownload the main payload on the device.\r\nSince then, other malicious actors appeared to have followed NOBELIUM’s suit and adopted the technique for\r\ntheir own campaigns. Between July and August, open-source intelligence (OSINT) community signals showed an\r\nuptick in HTML smuggling in campaigns that deliver remote access Trojans (RATs) such as AsyncRAT/NJRAT.\r\nIn September, we saw an email campaign that leverages HTML smuggling to deliver Trickbot. Microsoft\r\nattributes this Trickbot campaign to an emerging, financially motivated cybercriminal group we’re tracking as\r\nDEV-0193.\r\nIn the said campaign, the attacker sends a specially crafted HTML page as an attachment to an email message\r\npurporting to be a business report.\r\nFigure 6. HTML smuggling page attached in a Trickbot spear-phishing campaign\r\nWhen the target recipient opens the HTML attachment in a web browser, it constructs a JavaScript file and saves\r\nthe said file in the device’s default Downloads folder. As an added detection-evasion technique against endpoint\r\nhttps://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/\r\nPage 6 of 10\n\nsecurity controls, the created JavaScript file is password-protected. Therefore, the user must type the password\r\nindicated in the original HTML attachment to open it.\r\nFigure 7. HTML attachment constructs a password-protected downloader JavaScript in the browser\r\nOnce the user executes the JavaScript, it initiates a Base64-encoded PowerShell command, which then calls back\r\nto the attacker’s servers to download Trickbot.\r\nhttps://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/\r\nPage 7 of 10\n\nFigure 8. HTML smuggling attack chain in the Trickbot spear-phishing campaign\r\nBased on our investigations, DEV-0193 targets organizations primarily in the health and education industries, and\r\nworks closely with ransomware operators, such as those behind the infamous Ryuk ransomware. After\r\ncompromising an organization, this group acts as a fundamental pivot point and enabler for follow-on ransomware\r\nattacks. They also often sell unauthorized access to the said operators. Thus, once this group compromises an\r\nenvironment, it is highly likely that a ransomware attack will follow.\r\nDefending against the wide range of threats that use HTML smuggling\r\nHTML smuggling presents challenges to traditional security solutions. Effectively defending against this stealthy\r\ntechnique requires true defense in depth. It is always better to thwart an attack early in the attack chain—at the\r\nemail gateway and web filtering level. If the threat manages to fall through the cracks of perimeter security and is\r\ndelivered to a host machine, then endpoint protection controls should be able to prevent execution.\r\nMicrosoft 365 Defender uses multiple layers of dynamic protection technologies, including machine learning-based protection, to defend against malware threats and other attacks that use HTML smuggling at various levels.\r\nIt correlates threat data from email, endpoints, identities, and cloud apps, providing in-depth and coordinated\r\nthreat defense. All of these are backed by threat experts who continuously monitor the threat landscape for new\r\nattacker tools and techniques.\r\nMicrosoft Defender for Office 365 inspects attachments and links in emails to detect and alert on HTML\r\nsmuggling attempts. Over the past six months, Microsoft blocked thousands of HTML smuggling links and\r\nattachments. The timeline graphs below show a spike in HTML smuggling attempts in June and July.\r\nhttps://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/\r\nPage 8 of 10\n\nFigure 9. HTML smuggling links detected and blocked\r\nFigure 10. HTML smuggling attachments detected and blocked\r\nSafe Links and Safe Attachments provide real-time protection against HTML smuggling and other email threats\r\nby utilizing a virtual environment to check links and attachments in email messages before they are delivered to\r\nrecipients. Thousands of suspicious behavioral attributes are detected and analyzed in emails to determine a\r\nphishing attempt. For example, behavioral rules that check for the following have proven successful in detecting\r\nmalware-smuggling HTML attachments:\r\nAn attached ZIP file contains JavaScript\r\nAn attachment is password-protected\r\nAn HTML file contains a suspicious script code\r\nAn HTML file decodes a Base64 code or obfuscates a JavaScript\r\nThrough automated and threat expert analyses, existing rules are modified, and new ones are added daily.\r\nhttps://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/\r\nPage 9 of 10\n\nOn endpoints, attack surface reduction rules block or audit activity associated with HTML smuggling. The\r\nfollowing rules can help:\r\nBlock JavaScript or VBScript from launching downloaded executable content\r\nBlock execution of potentially obfuscated scripts\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nEndpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities detect malicious files,\r\nmalicious behavior, and other related events before and after execution. Advanced hunting, meanwhile, lets\r\ndefenders create custom detections to proactively find related threats.\r\nDefenders can also apply the following mitigations to reduce the impact of threats that utilize HTML smuggling:\r\nPrevent JavaScript codes from executing automatically by changing file associations for .js and .jse files.\r\nCreate new Open With parameters in the Group Policy Management Console under User\r\nConfiguration \u003e Preferences \u003e Control Panel Settings \u003e Folder Options.\r\nCreate parameters for .jse and .js file extensions, associating them with notepad.exe or another text\r\neditor.\r\nCheck Office 365 email filtering settings to ensure they block spoofed emails, spam, and emails with\r\nmalware. Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against\r\nnew threats and polymorphic variants. Configure Office 365 to recheck links on click and neutralize\r\nmalicious messages that have already been delivered in response to newly acquired threat intelligence.\r\nCheck the perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet\r\nto browse or download files. Such restrictions help inhibit malware downloads and command and control\r\n(C2) activity.\r\nEncourage users to use Microsoft Edge and other web browsers that support Microsoft Defender\r\nSmartScreen, which identifies and blocks malicious websites. Turn on network protection to block\r\nconnections to malicious domains and IP addresses.\r\nTurn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus.\r\nThese capabilities use artificial intelligence and machine learning to quickly identify and stop new and\r\nunknown threats.\r\nEducate users about preventing malware infections. Encourage users to practice good credential hygiene—\r\nlimit the use of accounts with local or domain admin privileges and turn on Microsoft Defender Firewall to\r\nprevent malware infection and stifle propagation.\r\nLearn how you can stop attacks through automated, cross-domain security with Microsoft 365 Defender.\r\nMicrosoft 365 Defender Threat Intelligence Team\r\nSource: https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-ba\r\nnking-malware-targeted-attacks/\r\nhttps://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/"
	],
	"report_names": [
		"html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775791315,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79b299f779313b3c2143e61280d1b95b0197243d.pdf",
		"text": "https://archive.orkl.eu/79b299f779313b3c2143e61280d1b95b0197243d.txt",
		"img": "https://archive.orkl.eu/79b299f779313b3c2143e61280d1b95b0197243d.jpg"
	}
}