New Cyber Campaign Uses HTML Smuggling to Deliver Malware

A new cyberattack campaign is targeting Russian-speaking users with a commodity trojan called DCRat (also known as DarkCrystal RAT) using an advanced technique called HTML smuggling.

This marks the first time that DCRat has been distributed via this method, differing from its usual delivery through compromised websites or phishing emails with malicious attachments, such as PDFs or Excel documents containing macros.

HTML smuggling works as a method of delivering malicious software by embedding or retrieving the malware payload through HTML files. According to a recent report, these files can be shared via fake websites or through malspam campaigns. Once the HTML file is opened in the victim’s browser, the hidden payload is decoded and downloaded onto the user’s system.

Social engineering plays a crucial role in convincing victims to unknowingly open the infected files. The report highlighted HTML pages mimicking well-known Russian platforms, such as TrueConf and VK. When users open these pages, they automatically download a password-protected ZIP archive to avoid detection. Inside the archive is a layered RarSFX file that, when unpacked, leads to the installation of DCRat.

DCRat, first released in 2018, is a robust backdoor trojan capable of performing various harmful activities, such as executing commands, logging keystrokes, and stealing files and credentials. The malware’s functionality can also be expanded with additional plugins, making it a versatile tool for cybercriminals.

The development coincides with another ongoing threat where Russian businesses have been targeted by a cyber group known as Stone Wolf. This group has been distributing Meduza Stealer malware via phishing emails that appear to come from a legitimate industrial automation provider.

Attackers often use archives containing both malicious and authentic-looking files to deceive victims into opening them.

Recent campaigns have also shown signs of using generative artificial intelligence (GenAI) to create malware like AsyncRAT, with HTML smuggling as the delivery method. Reports suggest that cybercriminals have been able to craft malicious scripts more easily with AI, significantly lowering the technical barriers for conducting these attacks.

To prevent falling victim to such attacks, organizations should closely monitor HTTP and HTTPS traffic for any signs of communication with malicious domains. Implementing robust email filtering, especially for attachments and links, can block potential entry points.

Additionally, using advanced threat detection tools that monitor suspicious activity within browsers can further prevent malware infections like DCRat from gaining a foothold.