ACG-CYBER SECURITY BULLETIN NR 394: HTML Smuggling: The Hidden Malware Delivery Method That Bypasses Defenses

Posted on June 16, 2025

Reference Number ACG-CSB 051325392

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

HTML smuggling is an advanced cyberattack technique that allows threat actors to deliver malware directly to a victim’s device by bypassing traditional security systems. It leverages trusted technologies such as HTML and JavaScript to build malicious files within the browser, making it difficult for antivirus programs and email security filters to detect the threat before it’s too late. Unlike traditional methods of sending malware as attachments, HTML smuggling avoids detection by constructing the payload after it has already reached the victim’s environment.

The biggest issue with HTML smuggling is its ability to evade perimeter defenses. Since the actual malicious payload is not transmitted over the network but created locally through JavaScript, many firewalls and secure email gateways fail to flag the file. Attackers often disguise these HTML files as resumes, invoices, or internal company forms. Once opened, the browser automatically runs JavaScript that pieces together the malware and prompts the user to download or execute it. This makes it especially dangerous in corporate environments where security tools rely on inspecting incoming files. When someone opens the file, their web browser secretly runs a script that builds and downloads harmful programs—like viruses or spyware—directly onto their computer. This method works so well because most security tools don’t see anything dangerous until it’s too late, since the harmful part is created after the file is opened.

Consider this: a finance team member receives what appears to be an urgent invoice in an email from a trusted contact. The attachment is an .html file named “Invoice_Q4.html.” The employee opens it, expecting to view a bill, but behind the scenes, the HTML runs JavaScript that reconstructs and downloads a disguised ransomware installer. With one click, the company is exposed to encryption-based extortion, and all critical financial data is locked down.

In another case, a job applicant submits their resume via email to a recruiter. The resume file is an HTML document that appears harmless. The recruiter opens it to view the applicant’s information. Instead, a hidden script activates in the browser, deploying a remote access trojan (RAT) that gives the attacker full access to the recruiter’s device. From there, the attacker may move laterally across the company network, gaining access to confidential HR files and even sensitive employee data.

In another scenario, a person browsing a job site might download what appears to be a sample resume, which is an HTML file. Upon opening it, embedded JavaScript code silently activates and reconstructs a trojan downloader. The malware installs itself in the background without any obvious signs. As a result, the machine becomes part of a botnet, a network of infected devices controlled by cybercriminals, capable of being used in large-scale attacks, data theft, or unauthorized surveillance. The user remains completely unaware that their device is now a tool in a much larger malicious operation.

To stay safe from HTML smuggling, users and organizations must adopt a proactive security posture. Educating employees to avoid opening unexpected HTML attachments is essential. Technical controls like script restriction plugins, email content inspection tools, and behavioral endpoint detection can help identify unusual activity before a full compromise occurs. Most importantly, HTML smuggling should be included in phishing simulation training to help users recognize and report it.

RECOMMENDATION

The public is advised to follow these tips to avoid being a victim of HTML Smuggling attacks:

HTML email attachments should not be opened unless their source is verified and trusted. These files may contain hidden scripts capable of reconstructing malware once opened;
If a file ends in “.html” or opens in a browser instead of a document viewer, it should be treated with caution. Malicious HTML files often disguise themselves as resumes, invoices, or other business documents;
Advanced email security solutions should be deployed to scan for malicious scripts and embedded payloads. These tools can inspect the content and behavior of HTML files before they reach recipients;
Browsers, operating systems, and software applications must be updated with the latest security patches. Regular updates close known vulnerabilities that HTML smuggling attacks could exploit; and
If a file appears to open a blank page or behaves strangely, it should be closed immediately. Some HTML-based attacks do not show obvious signs of danger but may be silently installing harmful programs.

For additional information, please refer to the following websites:

https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/html-smuggling
https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/

POINT OF CONTACT Please contact PLTCOL JERRY V EMPIZO, Acting Chief, Cyber Security Unit, thru e-mail address csradacgroup@gmail.com or contact us by telephone number (632) 723-0401 local 7488 for any inquiries related to this CYBER SECURITY BULLETIN.