Hiding HTML Smugglers In Your Inbox


  • ransom-4


Threat actors utilize HTML Smuggling techniques in recent campaigns to deliver Qakbot XWorm Cobalt Strike and IcedID.

Initially a spear-phishing email is sent to the target with an HTML attachment once opened the HTML file may directly drop an archive file containing a malicious LNK file to the victim machine or present a file impersonating well know vendors such as Adobe Google or Dropbox.

The victim is then coerced into executing the archive or saving and executing a malicious file in the form of an .ISO .IMG or VHD image file.

In either scenario the file contains an LNK file that executes commands to load a decoy file and uses the native binary rundll32 to load the malware payload.

SkyWatchSM Alert Legend

  • small-bell


  • active-threat0-lt-green

    Active Threat

  • malware-lt-green


  • ransome-lt-green


  • warning-green


  • file-green


Glesec Information Sharing Protocol

GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).

  • TLP-White

    Disclosure is Not Limited.

  • TLP-Green

    Limited Disclosure, Restricted Only to the Community.

  • TLP-Amber

    Limited Disclosure, restricted to the Participant's Organization.

  • TLP-Red

    Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.

Discover Glesec.

Authority. Consistency.

Sign-up today for SkywatchSM Alerts.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.