A new evasive Azorult campaign that uses HTML smuggling to deliver a malicious JSON payload from an external website.  The JSON file is then loaded using reflective code loading, a fileless technique that bypasses disk-based detection and also employs an AMSI bypass to avoid being flagged by antivirus software.  A sophisticated campaign targets the healthcare industry and steals sensitive information, including login credentials, crypto wallet data, and browser information.   Google Sites Exploited For HTML Smuggling Attacks Adversaries launched an attack using HTML smuggling within fake Google Docs pages on Google Sites, which tricked victims into downloading a malicious payload disguised as a legitimate Google Doc, Netskope said. Unlike typical HTML smuggling where the payload resides in Javascript, this instance embedded the base64-encoded payload within a separate JSON file hosted on a different domain.  Upon visiting the website, the victim’s browser unknowingly downloads the JSON and extracts the malicious payload.  An attacker’s website bypasses scanners with a CAPTCHA and delivers HTML that downloads a disguised LNK shortcut.  The LNK triggers a Powershell script to download a base64 encoded payload, decodes it, creates a scheduled task to execute the script, and then deletes it.  The downloaded Javascript copies itself checks for a specific file for self-deletion and fetches two more Powershell scripts to execute.   Attackers leverage reflective code loading to evade detection.

Source: GBHackers