Hacking

Russian Users Targeted with DCRat via HTML Smuggling in New Campaign

Published  ·  3 min read

Russian-speaking users are being targeted in a new malware campaign that distributes a commodity trojan called DCRat (also known as DarkCrystal RAT) using a technique known as HTML smuggling.

This marks the first instance of DCRat being distributed through this method. Previously, the malware was deployed using delivery vectors like compromised or fake websites, phishing emails with PDF attachments, or macro-laced Microsoft Excel documents.

"HTML smuggling is primarily a payload delivery mechanism," said Netskope researcher Nikhil Hegde in an analysis published Thursday. "The payload can be embedded within the HTML itself or retrieved from a remote resource."

How HTML Smuggling Works

HTML smuggling is a technique that allows threat actors to embed malicious code directly into HTML files. These files can then be distributed through fake websites or malspam campaigns. When the victim launches the file in their web browser, the hidden payload is decoded and downloaded to the machine, bypassing traditional detection methods.

In this case, Netskope identified HTML pages mimicking popular Russian services like TrueConf and VK. When opened, these pages automatically download a password-protected ZIP archive, attempting to avoid detection. Inside the ZIP file is a nested RarSFX archive that eventually leads to the deployment of DCRat malware.

The attack relies on social engineering to convince the victim to open the malicious payload, which triggers the infection.

What is DCRat?

DCRat, first released in 2018, is a full-featured backdoor trojan. It can perform actions like executing shell commands, logging keystrokes, exfiltrating files, and stealing credentials. With additional plugins, it can extend its malicious capabilities even further.

Recent Threats Targeting Russian Companies

The campaign is not the only one targeting Russian organizations. Another threat cluster, dubbed Stone Wolf, has been infecting Russian companies with Meduza Stealer. These attacks use phishing emails disguised as legitimate messages from industrial automation solution providers.

"Adversaries continue to use archives with both malicious files and legitimate attachments which serve to distract the victim," said BI.ZONE, a cybersecurity firm. By impersonating real organizations, attackers have a better chance of convincing victims to download and open the malicious attachments.

The Role of AI in Accelerating Attacks

This rise in HTML smuggling also coincides with the use of generative artificial intelligence (GenAI) to assist attackers. According to HP Wolf Security, some malicious campaigns have leveraged GenAI to write VBScript and JavaScript code used in spreading AsyncRAT via HTML smuggling.

"The scripts' structure, comments, and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," said HP Wolf Security. The use of AI has lowered the barrier for cybercriminals, making it easier to launch sophisticated attacks.

Recommendations for Organizations

Organizations are advised to closely monitor their HTTP and HTTPS traffic for any signs of communication with malicious domains and to implement stricter controls around email attachments and web-based content to mitigate the risk of HTML smuggling attacks.

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067