HTML smuggling has been leveraged for the first time by threat actors to target Russian-speaking users with the DCRat community trojan, also known as DarkCrystal RAT, The Hacker News reports.
Attacks involved the distribution of malicious Russian-language HTML files impersonating TrueConf and VK Messenger apps, which when opened stealthily downloads a password-protected ZIP file with a nested RarSFX archive that launches DCRat that not only enables shell command execution and keystroke logging but also allows file and credential exfiltration, an analysis from Netskope revealed. Such a development follows an HP Wolf Security report detailing another HTML smuggling attack that spread the AsyncRAT malware through a generative artificial intelligence-based dropper. "The scripts' structure, comments and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware. The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints," said HP Wolf Security.