Hiding HTML Smugglers In Your Inbox
Threat actors utilize HTML Smuggling techniques in recent campaigns to deliver Qakbot XWorm Cobalt Strike and IcedID.
Initially a spear-phishing email is sent to the target with an HTML attachment once opened the HTML file may directly drop an archive file containing a malicious LNK file to the victim machine or present a file impersonating well know vendors such as Adobe Google or Dropbox.
The victim is then coerced into executing the archive or saving and executing a malicious file in the form of an .ISO .IMG or VHD image file.
In either scenario the file contains an LNK file that executes commands to load a decoy file and uses the native binary rundll32 to load the malware payload.
Featured Resources
SOC Automation: Optimize Your SOC Workflow
Security operations centers (SOCs) are the nerve centers of modern cybersecurity, where threats are identified, assessed, and neutralized around the
Why Traditional Cyber Risk Management Falls Short and How Exposure Management Bridges the Gap
Turn cyber risk management from reactive defense into measurable resilience
CISO Roadmap 2025: A Practical Guide to Building a Resilient, Validated Security Strategy
From first 90 days to long-term resilience, see how CISOs can lead with validation, automation, and measurable impact