|
Strategy to Deliver Malicious Attachment |
|
|
|
|
|
|
|
|
|
|
| Target Data |
|
| Deployment |
|
Security researchers at InceptionCyber AI have observed a new phishing campaign leveraging HTML smuggling to distribute the Octalyn Stealer, a potent info-stealing malware. This campaign specifically targets enterprises under the guise of B2B inquiries, bypassing traditional email filters and endpoint defenses using one of the most evasive malware delivery mechanisms in use today.
HTML smuggling again recently surged in adoption due to its ability to evade network perimeter controls. Unlike attachments or embedded links to executables, HTML smuggling exploits the browser’s trust in locally created objects by using embedded JavaScript or SVG blobs to dynamically reconstruct malicious payloads on the victim’s machine. In essence, HTML smuggling turns the victim’s own browser into a payload builder. When paired with social engineering — as this campaign does — it creates an attack vector that slips silently through corporate defenses.
In this campaign, the attack begins with a well-crafted email sent to corporate inboxes. It impersonates a legitimate business inquiry with a subject line related to B2B enquiry — like “Inquiry Regarding Product Customization and Quotation for Q4 2025 Order”.
Image: Email delivering Malicious Attachment
|
Intent / Tone: Formal, B2B buyer semantics mimicking procurement departments. |
|
Attachment: A single HTML file labelled proposal.html. Proposal in HTML - a red flag, yet often overlooked. |
|
Once opened, the HTML file renders an SVG-based page mimicking a document viewer. It includes:
|
HTML has a script appended that helps the user copy the access code, which seems helpful — but is doing more than it appears. This is a subtle psychological tactic: guide the user gently toward launching the next stage without alarms.
Image: Appended Script
The effectiveness of HTML smuggling is evident in this campaign — despite having no obfuscation, no URL encoding, and a clearly embedded download link, the HTML file maintains a zero-detection score on VirusTotal. This underscores just how ineffective static engines have become against modern threats.
Virus total Score of the Attachment
Image: Attack Chain
Once the ZIP is extracted using the copied password, the victim encounters a file posing as an MS-Word document — which in reality is the Octalyn Stealer executable. Octalyn is not just another commodity malware. It is part of a new wave of open-source, modular info-stealers, hosted brazenly on public repositories like GitHub.
The GitHub repository features a streamlined interface that allows attackers to easily configure their Telegram bot token and chat ID, making the entire operation alarmingly accessible—even for low-skilled threat actors.
|
Written in |
C++/Delphi — uncommon, making detection less consistent across AV engines. |
|
Control Panel |
GUI-driven, simplifying attacker operation. Real-time victim monitoring capabilities Cross-platform support (Windows and Linux) |
|
System Targets |
Compatible from Windows XP to Windows 11. |
|
Exfiltration Method |
Telegram Bot API — stealthy, encrypted, and real-time. |
The use of Telegram for exfiltration is a growing trend among info-stealers. Telegram traffic is encrypted, blends with normal traffic, and is difficult to block without affecting legitimate business communications.
Despite the stealthiness of HTML smuggling, InceptionCyber’s INTENT-BASED THREAT PREVENTIONTM AI platform detected and blocked this attack in early stages. Neural Analysis and Correlation Engine (NACETM), neutralized this attack by correlating header artifacts with semantic analysis in real time. Rather than relying on static blocklists, NACETM applies semantic and thematic analysis to every message, extracting higher-order feature tags that remain stable even when the adversary rotates the payloads.
Key Engine Signals were:
By fusing these features, NACETM produced a high‑confidence verdict and quarantined the email before it reached end‑users—demonstrating the value of contextual, multi‑layer analysis over single‑point IOC checks and making it capable of detecting evasive, polymorphic attacks.
Image: Threat Detection Logs of Malicious Attachment
This campaign is a sobering reminder that email attachments can’t be trusted — even if they’re just HTML. HTML smuggling gives attackers the ability to deliver payloads that morph in the browser, dodging every traditional filter in the security stack.
Pair this with a modular, open-source malware like Octalyn Stealer, and you have a recipe for stealthy, scalable enterprise compromise. As malware delivery becomes more psychological and evasive, defenders need tools and mindsets that evolve just as fast.
NACE™ is an INTENT-BASED THREAT PREVENTIONTM AI Platform, that does not depend on the final payload or features from exploitation stage for deriving its verdict. Instead, it leverages semantic and thematic analysis to understand the underlying intent of email. By analyzing the contextual relationships between intent, auxiliary signals from URLs, deep file parsing results from attachment and SMTP headers, NACE™ proactively detects stealthy malspam vectors—often before users engage or the payload is delivered.
Learn more about how NACETM protects against Malicious Attachments, whether created by human threat actors or powered by AI.