EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Malware Delivery

HTML Smuggling

How attackers deliver malicious payloads through ordinary-looking HTML files that assemble themselves inside the browser — bypassing every network filter that never gets to see the payload.

Ashish Revar13 May 20268 min read12 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

Microsoft: HTML Smuggling — NOBELIUM Campaign

Microsoft's primary documentation of NOBELIUM using HTML smuggling to deliver ISO-based payloads in 2021.

reference
Elastic: HTML Smuggling Detection

Technical breakdown of HTML smuggling mechanics with detection rule examples.

reference
CyberChef

Use From Base64 + Magic to decode the embedded payload from a smuggling sample.

tool
More articlesTest your knowledge

What HTML Smuggling Is

HTML smuggling is a delivery technique where the malicious payload is not sent across the network as a recognisable file. Instead, it is encoded inside an HTML page or JavaScript attachment and reconstructed entirely inside the victim's browser. By the time the payload exists as a file on disk, it has never traversed the network in a form that a proxy, secure email gateway, or IDS can match against a signature.

The core mechanism is straightforward. The attacker encodes the payload — a ZIP archive, an ISO image, an executable, whatever the campaign requires — as a Base64 string embedded in JavaScript. When the victim opens the HTML file in a browser, the JavaScript decodes the string, constructs a Blob object in memory, generates a temporary object URL, and triggers an automatic download. The browser presents this as a normal file download from "the page the user is on." No external request is made to fetch the payload.

The JavaScript Primitives Analysts Must Know

Three browser APIs appear in virtually every HTML smuggling sample:

Blob and URL.createObjectURL. A Blob is an in-memory file-like object. URL.createObjectURL(blob) creates a temporary local URL (prefixed blob:) pointing to that object. The attacker creates an anchor element, sets its href to the blob URL and its download attribute to the desired filename, then programmatically clicks it. The user sees a file download named whatever the attacker chose.

const b64 = "TVqQAAMAAAA..."; // truncated Base64 PE
const raw = atob(b64);
const bytes = new Uint8Array(raw.length);
for (let i = 0; i < raw.length; i++) bytes[i] = raw.charCodeAt(i);
const blob = new Blob([bytes], { type: "application/octet-stream" });
const url = URL.createObjectURL(blob);
const a = document.createElement("a");
a.href = url;
a.download = "invoice.iso";
a.click();

atob. The built-in Base64 decoder. Payload is almost always Base64-encoded, sometimes with additional XOR or Caesar layers to defeat simple string matching on the encoded content.

msSaveBlob. The Internet Explorer and legacy Edge equivalent, still found in samples targeting older enterprise environments. Its presence is a strong indicator of a campaign prioritising legacy Windows targets.

Real-World Campaign Usage

NOBELIUM (APT29 / Cozy Bear). Microsoft documented NOBELIUM using HTML smuggling in 2021 as part of spear-phishing campaigns against government and think-tank targets. The HTML attachment delivered an ISO file containing a LNK launcher and a DLL. The ISO was the payload; the HTML was the delivery mechanism. The combination of HTML smuggling → ISO → LNK → DLL sideloading became a template copied extensively by other threat actors.

Lazarus Group. Multiple Lazarus campaigns documented by ESET and Mandiant between 2022 and 2024 used HTML smuggling to deliver ZIP files containing malicious executables. The HTML pages were crafted to resemble legitimate financial documents or job application forms, consistent with Lazarus's social engineering focus on financial sector targets.

QakBot pre-disruption. Prior to the August 2023 FBI-led infrastructure takedown, QakBot delivery infrastructure used HTML smuggling extensively in the OneNote and later ISO-based delivery chains. Samples from this period show multi-layer encoding: XOR-obfuscated JavaScript inside the HTML, producing a Base64-encoded ZIP, containing an ISO, containing LNK and DLL components.

Why Network Controls Miss It

The evasion properties are structural, not incidental:

  • No payload on the wire. The HTML file itself is the email attachment or the downloaded page. Proxies see HTML; the payload is inside it as a string.
  • TLS encryption. Even if a proxy could inspect traffic, the encoded payload is inside an encrypted HTTPS-delivered HTML page.
  • MIME type mismatch. The HTML file has MIME type text/html. Filters looking for application/zip or application/x-msdownload see nothing of interest.
  • Mark-of-the-Web (MotW) behaviour. The blob URL mechanism means the generated file may not receive a Zone Identifier alternate data stream on older Windows builds, depending on the browser and Windows version. Controlled conditions from 2021-2022 campaigns exploited this. Microsoft has since patched many of these pathways.

Analyst Workflow

When a suspicious HTML file arrives for analysis:

  1. Open in a text editor first. Do not open in a browser. Look for atob, Blob, createObjectURL, msSaveBlob, or any large Base64-looking strings.
  2. Extract the encoded payload. Copy the Base64 string to CyberChef. Apply From Base64. Identify the magic bytes of the output.
  3. Check for secondary encoding. If From Base64 produces garbage, look for XOR or other transformations applied before the atob call in the JavaScript logic.
  4. Analyse the extracted payload. The output is typically an ISO, ZIP, or executable — hand off to the appropriate analysis path.
  5. Document the delivery chain. HTML smuggling is almost always the first link in a multi-stage chain. The report must capture the full chain from HTML → intermediate container → final payload.

Detection

Endpoint visibility is the primary control once network controls are ineffective:

  • Browser telemetry. Blob URL creation followed by an immediate anchor click and file write is anomalous browser behaviour. EDR products with browser process monitoring can flag this sequence.
  • YARA on email attachments. Rules matching atob, Blob, createObjectURL, and msSaveBlob in HTML attachments catch most commodity-kit samples. Obfuscated variants require rules on the structure of large Base64 strings rather than the decoded function names.
  • Defender ASR rules. Microsoft Defender's Attack Surface Reduction rule "Block JavaScript or VBScript from launching downloaded executable content" (GUID d3e037e1-3eb8-44c8-a917-57927947596d) targets the execution phase downstream of the download.