{ "id": "8f0818a5-79d1-4741-9304-2135d57ceaab", "created_at": "2026-04-06T00:08:31.585142Z", "updated_at": "2026-04-10T03:37:32.589894Z", "deleted_at": null, "sha1_hash": "7fbca866e5513eb9ed74ab3ec01187451b5e3f7c", "title": "ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 921807, "plain_text": "ISOMorph Infection: In-Depth Analysis of a New HTML\r\nSmuggling Campaign\r\nBy Vinay Pidathala\r\nPublished: 2021-07-28 · Archived: 2026-04-05 15:17:50 UTC\r\nMenlo Security has been closely monitoring an attack we are naming ISOMorph. ISOMorph leverages HTML\r\nSmuggling to deliver malicious files to users’ endpoints by evading network security solutions such as sandboxes\r\nand legacy proxies. Isolation prevents this attack from infecting the endpoint. Here’s what we know:\r\nExecutive Summary\r\nData breaches, malware, ransomware, phishing, and DDoS attacks are all on the rise. And now another type of\r\nattack is quickly emerging. Menlo Labs is seeing an uptick of attackers using HTML Smuggling to get their\r\nmalicious payloads to the endpoint. ISOMorph is one such campaign that is taking advantage of this technique on\r\nthe heels of attacks by Nobelium, the threat actor behind SolarWinds, who used the same technique in their most\r\nrecent spear-phishing campaign. Menlo Labs has identified malicious actors using the popular Discord app to host\r\nmalicious payloads. The Remote Access Trojan (RAT) used in this campaign (AsyncRAT) has many capabilities\r\nthat are used to evade detection, log passwords, and exfiltrate data. An enterprise infected with this RAT must\r\nassume that the goal of the attackers is exfiltration of sensitive data.\r\nHTML Smuggling, a technique that is fast gaining notoriety, is used to drop the first-stage dropper—\r\nmalware samples that initially land on a victim’s machine before fetching a main payload. HTML\r\nSmuggling was also used in the most recent spear-phishing campaign by the Nobelium group.\r\nThe attack is multi-staged and checks and disables various anti-virus programs running on the endpoint.\r\nAsyncRAT/NJRAT is the Remote Access Trojan that gets installed on successfully compromised endpoints.\r\nBad actors are using the popular Discord app to host malicious payloads in this campaign. This is\r\nimportant to note because Discord, a group chatting platform, reportedly has over 150 million active users\r\nwho use the app to communicate over text and voice.\r\nWhy is HTML Smuggling re-emerging?\r\nBeginning in 2020, when the world shifted to remote working, the browser became the place where work happens.\r\n“Even ahead of shelter-in-place and extensive work-from-home initiatives, business users reported spending 75\r\npercent of their workday either working in a web browser or attending virtual meetings,” according to a Forrester\r\nstudy.\r\n1\r\n HTML Smuggling delivers malware by effectively bypassing various network security solutions, including\r\nsandboxes, legacy proxies, and firewalls. We believe attackers are using HTML Smuggling to deliver the payload\r\nto the endpoint because the browser is one of the weakest links, without network solutions to block the payload.\r\nTechnical Analysis\r\nhttps://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/\r\nPage 1 of 6\n\nLet’s start by providing a high-level overview diagram of the attack before we dig into the details. We’ve broken\r\ndown the attack into sections, in accordance with the MITRE ATT\u0026CK framework, to help detection and\r\nresponse teams easily incorporate these tactics, techniques, and procedures (TTPs) into their frameworks.\r\nInitial Access\r\nMenlo Labs has seen attackers leverage HTML Smuggling using both email attachments and web drive-by\r\ndownloads.\r\nWhat is HTML Smuggling?\r\nHTML Smuggling is a technique attackers use to construct the malicious payload programmatically on the HTML\r\npage using JavaScript, as opposed to making an HTTP request to fetch a resource on a web server. This technique\r\nis neither a vulnerability nor a design flaw in browser technologies, and web developers use this technique often to\r\noptimize file downloads.\r\nHow ISOMorph uses this technique\r\nThe attackers behind ISOMorph use the following JavaScript code to construct the payload directly on the\r\nbrowser.\r\nIn a nutshell, the JavaScript code is creating an element “a,” setting the HREF to the blob and programmatically\r\nclicking it to trigger the download to the endpoint. Once the payload is downloaded to the endpoint, the user must\r\nhttps://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/\r\nPage 2 of 6\n\nopen it to execute the malicious code.\r\nExecution\r\nThe first-stage payload\r\nWhat gets downloaded to the endpoint is an ISO file. Why an ISO file? ISO files are disk images that contain all\r\nthe files/folders required to install software on endpoints. Attackers are always testing web and email gateway\r\ndevices to see what file formats are exempt from inspection, then they incorporate those exempt file formats into\r\ntheir TTPs. ISO file formats are preferred by attackers because they do not require any third-party software to\r\ninstall.\r\nThe screenshot above shows the contents of the ISO file. While the screenshot above has a VBScript script, we\r\nhave identified many different malicious scripts being used. The following is a list of all the malicious scripts that\r\nwe observed embedded in the ISO file:\r\n1. Bills-19877733351.vbs\r\nhttps://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/\r\nPage 3 of 6\n\n2. Bills-bbt-89567815.vbs\r\n3. Spectrum (statement).vbs\r\n4. INVOICE-992771.vbs\r\n5. BBT-Invoice-71213241.DOCX.vbe\r\n6. Order_ConfirmationID717323644552844.js\r\n7. Order-ID693913086962206.vbs\r\n8. court .vbs\r\nOnce the VBScript script gets executed, it fetches additional PowerShell scripts. The following flowchart details\r\nthe actions resulting in the execution of the first-stage payload.\r\nAchieving Persistence\r\nISOMorph achieves persistence by first creating a Windows directory called “Microsoft Arts\\Start” under\r\n“C:\\Program Data\\”. It then sets the registry key value under the “User Shell Folders” and “Shell Folders” to point\r\nto the directory previously created. The PowerShell script then downloads a file called “Dicord.lnk” under the\r\n“C:\\Program Data\\Microsoft Arts\\Start\\” directory. The figure below is a snippet of the PowerShell script that\r\nshows the values set to the registry keys, to enable the malicious code to execute on startup.\r\nDefense Evasion\r\nThe bad actors behind this campaign execute the malicious code by proxy, by injecting it into MSBuild.exe.\r\nMSBuild is a trusted process, so by injecting into MSBuild, application whitelisting solutions are easily\r\nhttps://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/\r\nPage 4 of 6\n\ncircumvented. The bad actors use reflection to load a DLL file in memory and inject the RAT payload into\r\nMSBuild.exe. Reflection enables developers to obtain information about loaded DLL files and the types defined\r\nwithin them, invoke methods, etc. AV usually looks at any files with .dll extensions that get loaded by monitoring\r\nthe LoadLibrary API. By reflectively loading the DLL files and invoking certain methods, malware authors can\r\nbypass AV software. This directly maps to the Technique T1127.001 in the MITRE ATT\u0026CK framework.\r\nCommand and Control\r\nAs seen from the previous step, a method (WpfControlLibary1.LOGO.hahaha) in the .NET RAT payload is called\r\nto start the AsyncRAT functionality. AsyncRAT encrypts its config using AES, as seen below.\r\nThe Base64 strings are the encrypted config for the RAT. Upon decryption using the hardcoded AES key, we can\r\nsee the CnC server host/port, version, and other settings for the RAT.\r\nThreat Actor and Campaign Information\r\nBelow is a screenshot of the campaign we’ve been tracking on VirusTotal. This campaign is available to the\r\npublic.\r\nhttps://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/\r\nPage 5 of 6\n\nNJRAT/AsyncRAT is the Remote Access Trojan that gets dropped to the endpoint. While this RAT family has\r\nbeen used by many different actors over the years, it was predominantly used to compromise high-value targets in\r\nthe Middle East. While these groups have used the RAT, it does not mean that these groups are behind this specific\r\ncampaign.\r\nThe following groups have been known to use NJRAT:\r\nG0078Gorgon Group[5]G0043Group5[4]G0096APT41[6]\r\nConclusion\r\nAttackers are constantly testing out newer methods to get their payloads to the endpoint. Menlo Labs has noticed\r\nan increase in bad actors using HTML Smuggling for their initial access. This technique is gaining popularity\r\nbecause attackers can get their payloads to the endpoint while bypassing all network inspection and analysis tools.\r\nAlso, since the payload is constructed directly on the browser, there is a gap in logging and visibility for SIEM\r\nand EDR tools. Menlo Labs strongly believes that knowing and understanding the initial access methods is critical\r\nto a strong prevention, detection, and response strategy, and we are determined to plug that gaping hole.\r\n1. A commissioned study conducted by Forrester Consulting on behalf of Google, “Cloud Workers Are Key to\r\nDisruption Preparedness,” 2020.\r\nSource: https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/\r\nhttps://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/" ], "report_names": [ "isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434111, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7fbca866e5513eb9ed74ab3ec01187451b5e3f7c.pdf", "text": "https://archive.orkl.eu/7fbca866e5513eb9ed74ab3ec01187451b5e3f7c.txt", "img": "https://archive.orkl.eu/7fbca866e5513eb9ed74ab3ec01187451b5e3f7c.jpg" } }