DCRat Targets Users with HTML Smuggling

Netskope analyzed a campaign delivering DCRat (Dark Crystal RAT) using HTML smuggling to drop a password-protected ZIP that contained nested RarSFX archives which ultimately executed DCRat binaries (packed with ENIGMA/VMProtect). The report describes the full execution chain, evasion techniques (HTML smuggling, password-protected archives, packing), related detections, MITRE ATT&CK mappings, provided IOCs and scripts on GitHub, and recommended mitigations such as full HTTP/HTTPS inspection and remote browser isolation.