A new wave of cyberattacks has emerged, targeting Russian-speaking users through a technique called HTML smuggling, delivering the DCRat (DarkCrystal RAT) malware. This represents a departure from previous malware distribution methods like phishing emails or malicious attachments. In this campaign, attackers embed or fetch malicious payloads through seemingly legitimate HTML files, which evade traditional security filters. Once the file is opened in a victim’s browser, the hidden payload is decoded and downloaded to the system, initiating a series of malicious activities.
Netskope researchers have identified that attackers are using HTML files mimicking well-known Russian platforms such as TrueConf and VK. Upon interacting with these pages, users inadvertently download a password-protected ZIP archive. The ZIP file contains a nested RarSFX archive, which when opened, unleashes the DCRat malware. This trojan is a full-fledged backdoor, enabling attackers to execute shell commands, log keystrokes, and exfiltrate sensitive files and credentials. First released in 2018, DCRat has evolved with additional plugins, allowing it to become a versatile tool for cybercriminals.
This campaign highlights the increasing role of social engineering in malware delivery. By using trusted names and realistic-looking sites, attackers increase the likelihood that victims will open the malicious payload. This level of deception adds to the sophistication of the operation. Researchers from BI.ZONE have also noted a rise in phishing emails targeting Russian companies, often posing as legitimate providers of industrial automation solutions. These emails carry malicious files designed to evade detection, further showcasing how attackers manipulate their targets through trust and familiarity.
In parallel, cybersecurity experts are observing a surge in the use of generative artificial intelligence (GenAI) to enhance cyberattacks. A recent campaign used GenAI to create VBScript and JavaScript code, enabling the spread of malware such as AsyncRAT through HTML smuggling. This convergence of advanced technology and cybercrime lowers the barrier for cybercriminals, accelerating the pace and complexity of attacks. Security professionals urge organizations to closely monitor their HTTP and HTTPS traffic, ensuring systems are not communicating with malicious domains, and to implement stronger web security measures to guard against evolving threats like HTML smuggling.
