What is HTML smuggling and how Qbot uses this technique? - VMRay

What is HTML smuggling     
and how adversaries use this technique?

Explore how adversaries including Qbot use the highly evasive HTML smuggling technique to distribute banking malware, ransomware, and other payloads.

Evasion at its core:
Understanding the malicious power of HTML smuggling

Adversaries are constantly seeking new ways to bypass security controls and deliver their malicious payloads undetected. One such technique that has gained prominence is HTML smuggling. This highly evasive malware delivery method leverages legitimate HTML and JavaScript features to successfully distribute banking malware, remote access trojans, and various other payloads, especially targeting banks and financial institutions.

HTML smuggling allows attackers to encode a malicious script within a specially crafted HTML attachment or web page. When the target user opens the HTML in their web browser, the browser decodes the malicious script, assembling the payload on the host device. Unlike traditional malware delivery methods, HTML smuggling ensures that the malicious executable is built locally behind a firewall, evading network-based security measures.

What makes HTML smuggling particularly challenging to detect is its ability to bypass standard security controls, including web proxies and email gateways. These security solutions often focus on checking for suspicious attachments or traffic based on known signatures and patterns. Since the malicious files are created only after the HTML file is loaded on the endpoint through the browser, protection solutions may initially see benign HTML and JavaScript traffic, which can also be obfuscated to further conceal their true purpose.

Threat actors employing HTML smuggling exploit the legitimate uses of HTML and JavaScript in daily business operations, making it difficult for organizations to distinguish between malicious and benign activities. Disabling JavaScript, for example, could mitigate HTML smuggling that relies on JavaScript blocks, but this would also disrupt the rendering of legitimate web pages essential for business operations.

Furthermore, there are multiple ways to implement HTML smuggling, including using alpha scan and various coding techniques for JavaScript, making the technique highly evasive against content inspection. To effectively defend against HTML smuggling and similar threats, organizations require a true defense-in-depth strategy and a multilayered security solution. This approach involves inspecting email delivery, monitoring network activity, analyzing endpoint behavior, and investigating follow-on attacker activities.

Without comprehensive security solutions in place, organizations may find themselves manually searching for indicators of HTML smuggling and other sophisticated threats. Security Operation Center (SOC) analysts equipped with sufficient information about specific threats can conduct manual investigations, but relying solely on manual efforts can be time-consuming and resource-intensive.

To effectively combat the risks associated with HTML smuggling and other advanced attack techniques, organizations should prioritize the implementation of advanced security solutions that provide holistic protection across multiple layers of the IT infrastructure. By adopting a proactive approach and investing in robust security measures, organizations can safeguard their systems, data, and operations against the evolving threat landscape.

Course home page: 
Converging Incident Response & Detection Engineering

Chapter 11: 
Analysis walkthrough: In-depth analysis of a Qbot sample

See VMRay in action.
Start maximizing value for
Incident Response & Detection Engineering

Further resources


Analysis of Qbot to enhance Detection Engineering

Watch the full recording from the our webinar at SANS DFIR Summit.


Explore how you can improve the efficacy of detection Engineering through VMRay.


Check the most advanced sandbox for analyzing malware and phishing.

Welcome to the playground.

Explore what you can do with VMRay.

Click on the yellow dots to check the report formats, see the overview, explore the network connections of the sample, malicious behavior, and relevant files, map the threat on MITRE ATT&CK Framework, analyze and download IOCs and artifacts.

The analysis report tabs are available both for VMRayDeepResponse and VMRayTotalInsight. The bundle of VMRay FinalVerdict and VMRayDeepResponse also offers access to the analysis report tabs.

We’re sorry. 

The interactive tour is not available on mobile devices.

Unveiling the power:
See our experts showcasing VMRay’s capabilities.

Analysis of a malicious file

Join Fatih Akar from the VMRay team as he provides a detailed walkthrough of a malicious LNK file, a prevalent attack vector since Microsoft’s Office macros block.

Gain valuable insights into each tab of our comprehensive analysis report and get a sneak peek into what you’ll be exploring.

Analysis of a malicious URL

Join Andrey Voitenko, an expert in advanced malware and phishing analysis from the VMRay team, as he demonstrates how to submit emails and URLs to the VMRay platform using built-in connectors.

Discover the capabilities of our new Automation Dashboard, enabling one-click automation with your existing EDR, SOAR, SIEM, and TIP tools. Monitor analysis data seamlessly from your VMRay dashboard and unlock new levels of efficiency in your security operations.

Integrating with existing tools

Watch Michael Bourton showcasing the seamless integration of VMRay platform with your existing security stacks.

Discover how effortlessly you can leverage unparalleled detection and analysis capabilities by utilizing dedicated connectors or our Rest API.

Experience VMRay in Action:
Explore Real-world Malware Analysis Reports

Get a firsthand look at the power and capabilities of the VMRay platform by delving into our sample malware and phishing analysis reports.

Immerse yourself in a range of report formats, providing comprehensive insights.

Dive into the overview, explore intricate network connections, analyze malicious behavior in detail, and map threats using the MITRE ATT&CK Framework. See the possibilities to download clear IOCs.

Uncover the capabilities that await you.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator