{
	"id": "55936bc0-1cc5-46cd-a1e1-ee46f85681e9",
	"created_at": "2026-04-06T00:18:55.999427Z",
	"updated_at": "2026-04-10T03:21:10.021049Z",
	"deleted_at": null,
	"sha1_hash": "dd190056ef85ffea0173088a4bc431c9a533faa7",
	"title": "HTML smugglers turn to SVG images",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1408685,
	"plain_text": "HTML smugglers turn to SVG images\r\nBy Adam Katz\r\nPublished: 2022-12-13 · Archived: 2026-04-05 17:03:50 UTC\r\nTuesday, December 13, 2022 15:30\r\nHTML smuggling is a technique attackers use to hide an encoded malicious script within an HTML email\r\nattachment or webpage.\r\nOnce a victim receives the email and opens the attachment, their browser decodes and runs the script,\r\nwhich then assembles a malicious payload directly on the victim’s device.\r\nTalos has witnessed Qakbot attackers using a relatively new technique that leverages Scalable Vector\r\nGraphics images embedded in HTML email attachments.\r\nHTML smuggling using SVG\r\nhttps://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/\r\nPage 1 of 7\n\nSmuggling HTML using SVG\r\nThere are multiple different ways attackers have been documented abusing the legitimate features of JavaScript\r\nand HTML to accomplish HTML smuggling. Recently, however, Talos has witnessed attackers deploying a\r\nrelatively new HTML smuggling technique—the use of Scalable Vector Graphics (SVG) images.  \r\nUnlike pixel-based raster images such as JPEG, SVG images are vector-based, which means they can be increased\r\nin size without sacrificing image quality. SVG images are constructed using XML, allowing them to be placed\r\nwithin HTML using ordinary XML markup tags. Talos has identified malicious emails featuring HTML\r\nattachments with encoded SVG images that themselves contain HTML \u003cscript\u003e tags. Including script tags within\r\na SVG image is a legitimate feature of SVG. Unfortunately this feature is being abused by attackers to smuggle\r\nJavaScript onto a victim's computer.  Attackers rely on the fact that most web browsers will happily decode and\r\nexecute this JavaScript as if it were a standard part of the document’s HTML.\r\nIn this case, the JavaScript smuggled inside of the SVG image contains the entire malicious zip archive, and the\r\nmalware is then assembled by the JavaScript directly on the end user's device. Because the malware payload is\r\nconstructed directly on the victim’s machine and isn’t transmitted over the network, this HTML smuggling\r\ntechnique can bypass detection by security devices designed to filter malicious content in transit.\r\nBelow is a malicious Qakbot email. Qakbot is known to hijack a victim’s email and send itself out as a reply to an\r\nexisting email thread. That behavior is on display here. One interesting facet of many email thread hijackers is that\r\nthe email threads they hijack are often very old. This particular thread is from 2020.\r\nhttps://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/\r\nPage 2 of 7\n\nA Qakbot email features stolen email threads and a malicious HTML attachment.\r\nWhen the victim opens the HTML attachment from the email, the smuggled JavaScript code inside the SVG\r\nimage springs into action, creating a malicious zip archive and then presenting the user with a dialog box to save\r\nthe file.\r\nhttps://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/\r\nPage 3 of 7\n\nWhen the attachment is opened, the SVG image JavaScript pops up a file save dialog box.\r\nThe HTML attachment also displays a password that the victim must use to open the encrypted zip archive that\r\nwas constructed locally on the victim’s machine.\r\nThe HTML attachment also includes the password to the zip file created by the JavaScript.\r\nInside the HTML attachment, we can see the code used by the attackers to smuggle the JavaScript onto the victim\r\nmachine. Besides some of the obvious obfuscation techniques like HTML encoding the “F” in File and the “P” in\r\nPassword, we can also clearly see an \u003cembed\u003e tag containing a base64-encoded SVG image.\r\nhttps://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/\r\nPage 4 of 7\n\nThe SVG image is base64-encoded and embedded inside the HTML attachment.\r\nWhen the base64 is decoded and the JavaScript is de-obfuscated, we can see the SVG HTML smuggling\r\ntechnique used by this Qakbot campaign. The charCodeAt() function is used to convert text from a JavaScript\r\nvariable into a binary blob. Using the createObjectURL() function, the binary blob is converted into a zip archive\r\nthat the user is prompted to save on their local filesystem.\r\nhttps://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/\r\nPage 5 of 7\n\nAn example of a decoded base64 SVG image from a malicious Qakbot email.\r\nIf the user manages to enter the password provided by the attacker and open the zip archive, they can extract an\r\n.iso file. The .iso file is intended to infect the victim with Qakbot, according to Cisco Secure Malware Analytics.\r\nConclusion\r\nSince HTML smuggling can bypass traditional network defenses, it is critical to deploy some sort of security\r\nprotection to the endpoints in your environment. Having robust endpoint protection can prevent execution of\r\npotentially obfuscated scripts, and prevent scripts from launching downloaded executable content. Endpoint\r\nsecurity can also enforce rules about which executables are trusted to run in your environment.\r\nAnother good defense against HTML smuggling is educating your users about HTML smuggling attacks. For\r\nyears, email security professionals have been repeating the mantra that users should not open suspicious email\r\nattachments or click links in suspicious messages. This is even more true today, given that HTML smuggling\r\nattacks can bypass some security devices and are increasing in frequency.\r\nAs network defenders improve their abilities to scan for malicious content, we can expect to see attackers looking\r\nto counter and evade such content filtering. HTML smuggling’s ability to bypass content scanning filters means\r\nthat this technique will probably be adopted by more threat actors and used with increasing frequency.\r\nhttps://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/\r\nPage 6 of 7\n\nSource: https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/\r\nhttps://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/"
	],
	"report_names": [
		"html-smugglers-turn-to-svg-images"
	],
	"threat_actors": [],
	"ts_created_at": 1775434735,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd190056ef85ffea0173088a4bc431c9a533faa7.pdf",
		"text": "https://archive.orkl.eu/dd190056ef85ffea0173088a4bc431c9a533faa7.txt",
		"img": "https://archive.orkl.eu/dd190056ef85ffea0173088a4bc431c9a533faa7.jpg"
	}
}