Defending Against Last-Mile Reassembly Attacks

Reassembly attacks are a form of client-side attacks, including HTML smuggling, that have rapidly evolved into a favored technique among cybercriminals: they bypass conventional security controls and deliver malicious payloads onto endpoints. 

By exploiting the flexibility of HTML and JavaScript, adversaries can embed harmful files directly into web pages, effectively bypassing content filters and traditional security defenses. Moreover, threat actors never stop innovating and have begun leveraging advanced technologies like WebAssembly (WASM) to make these smuggling campaigns even harder to detect by traditional security measures like legacy firewalls and web gateways.

An Introduction to Reassembly Attacks

At their core, reassembly attacks deliver malicious components via web browsers where they are assembled directly from seemingly innocuous data. The attack payload is not fully formed until it reaches the web browser—or the "last mile"—bypassing traditional network-based detection mechanisms used by traditional cloud proxies and web gateways. 

HTML smuggling, a subset of reassembly attacks, involves the embedding of malicious payloads—such as executables, scripts, or obfuscated data—inside of otherwise benign-looking HTML documents. As an HTML document loads in a browser, the payload is reassembled as the client loads and interprets the HTML and Javascript that compromises modern web pages. This method commonly abuses JavaScript blobs, HTML5 download attributes, and data URLs, allowing adversaries to wrap malware within downloadable resources that appear harmless during transit.

How a Reassembly Attack Works

1. Embedding Malicious Content – Attackers use JavaScript, data URLs, or HTML5 features to insert obfuscated malware into an HTML file. 

2. Evasion – The HTML document traverses network defenses (firewalls, proxies) largely undetected due to the web page content’s innocuous appearance. For example, a malicious executable file can be obfuscated using Base64 encoding, rendering it as randomized text that traditional firewalls or web gateways will not detect.

3. Execution – When a target opens the HTML document in a web browser, scripts reconstruct and drop the malicious payload onto the user's device—sometimes automatically initiating a download.

The Next Level: WebAssembly-Powered HTML Smuggling

WebAssembly (WASM) is a binary instruction format designed for performance-intensive applications on the web. Developers use WASM to run code with near-native speed—enabling complex computations directly in the browser. Unfortunately, attackers are now harnessing WASM in HTML smuggling campaigns to further obfuscate and optimize malware delivery.

Why WASM Makes HTML Smuggling More Dangerous

WebAssembly as a means to deliver malicious payloads is attractive to threat actors because it enables them to run malicious content within browsers while bypassing detection mechanisms typical of conventional file type signatures. Additional characteristics of WASM that attackers leverage include:

• Binary Format: WASM code is compact and hard to analyze, making static inspection and signature-based detection far less effective.
• Cross-Platform Execution: WASM runs seamlessly in major browsers across operating systems, increasing attacker success rates.
• In-Memory Operations: Payloads can execute exclusively in memory, further reducing forensic footprints.
• Complex Obfuscation: WASM modules can rebuild and decrypt payloads on the fly, making malware analysis extremely challenging.

Consider an attack chain where an HTML file loads a WASM module that, when executed, reconstructs an embedded ransomware payload—invisible to the network until it reaches the endpoint via a web browser.

How Zscaler Protects Against HTML smuggling and WASM-Based Malware

Organizations need a layered, multi-faceted defense approach to combat these sophisticated threats. Zscaler’s Advanced Threat Protection leverages Single Scan, Multi-Action that applies multiple threat prevention technologies in parallel for the utmost protection. 

Single Scan, Multi-Action Protection

Zscaler's Antimalware Engine is a core component of our Single Scan, Mult-Action comprehensive threat prevention: when data packets are sent to one of our proxy service nodes, Zscaler applies layered, inline, AI-powered security controls that detect and stop threats without disrupting user productivity. Antimalware is one of several engines that run in parallel without the latency that other vendors encounter due to service chaining. Here’s how it stops reassembly attacks that leverage HTML smuggling:

• AI-Driven Antimalware Engine:  Zscaler’s Antimalware Engine analyzes files, including HTML files with Javascript and other client-side scripting, in real time—this includes embedded WASM modules and obfuscated content—unpacking malicious payloads from blobs, data URLs, or WASM binaries. The Antimalware Engine emulates malicious scripting line by line—including obfuscated HTML—and reassembles an executable binary in isolation and then prevents that malicious file from being delivered to an endpoint.
• Code execution in isolation: rather than relying purely on signatures, Zscaler utilizes advanced isolation in which suspicious scripts or WASM execution are analyzed before they reach the endpoint—catching novel malware strains before they can do damage.
• Single scan, multi-action (SSMA): Threats detected via HTML smuggling trigger multiple responses to stop attacks at the point of entry. For instance, if an HTML file tries to reconstruct a payload using WASM, Zscaler's Antimalware Engine rapidly inspects the binary instructions, identifies malicious behaviors, and prevents the download or execution before infection can occur.

Network Layer Defense: Inline Inspection Provides Real-Time Protection

Malicious HTML files often attempt to slip through traditional network perimeter defenses. But Zscaler’s inline inspection changes the game with:

• Protocol and content inspection: Zscaler analyzes not just file headers, but also the actual embedded content in HTTP/HTTPS traffic—including hidden WASM modules.
• Advanced MIME type inspection: The public service edge nodes examines Data URLs and scripts for abnormal MIME types or download behaviors, flagging and blocking suspicious downloads automatically.
• Real-Time inline blocking: Suspicious files—from HTML to Javascript to WASM— are detected and halted in transit, preventing delivery of a smuggled payload before it ever reaches an endpoint.
• Holistic visibility: Zscaler provides detailed threat analytics for security teams to track, investigate, and respond to smuggling attempts—reducing dwell time and the risk of lateral movement.

Defense-in-depth protection against reassembled malware

Our Antimalware Engine is just one part of an overall defense-in-depth cyberthreat protection offering: offered as part of Zscaler Internet Access, our AI-powered Zero Trust Browser and Cloud Sandbox offer additional layers of protection to prevent malicious reassembled files from executing on an endpoint:

• Zero Trust Browser: Browser Isolation stops web-based threats by isolating suspicious web pages and streams only safe pixels of the session to the end user, not active content. This blocks browser exploits so any malicious payload delivered via HTML smuggling is restricted to an ephemeral container in the Zero Trust Exchange itself and never reaches the endpoint. 

  Moreover, customers can configure browser isolation to examine the age of a domain from which a web page originates or other criteria such as an overall URL Category (e.g., gambling, adult content etc.). Using policy, Zscaler customers can force potentially malicious web pages to render in the Zero Trust Browser so they open in a virtualized browser rendered as pixels only without Javascript or other potentially malicious client-side scripting, effectively neutralizing malicious bytecode before it impacts the endpoint.  Lastly, browser isolation profiles can be configured to forbid file downloads. But even if they are allowed, ZIA’s Advanced Threat Protection and Cloud Sandbox will prevent such files from being downloaded and executed on the endpoint.

• Cloud Sandbox, also offered as part of Zscaler Internet Access, provides an additional layer of defense that augments Zscaler’s AV Engine and Zero Trust Browser. Other legacy sandbox solutions in the market are ineffective against HTML smuggling attacks since no file is transferred, so the attack goes unnoticed. But Zscaler’s Cloud Sandbox delivers unlimited, latency-free inspection to block threats before they reach an endpoint. Cloud native and fully inline, it provides real-time analysis and verdicts to prevent threats from spreading—without compromising productivity.

Conclusion

Reassembly attacks, including HTML smuggling, are no longer limited to simple download attribute abuse or JavaScript blobs—attacker sophistication is escalating with the adoption of technologies like WebAssembly. These campaigns are now harder to detect, more evasive, and potentially more damaging. Organizations must respond with adaptive defense mechanisms.

Zscaler offers a unified approach that defends against reassembly attacks—including HTML smuggling—and combines advanced real-time scanning for threats, behavioral analysis, and network-level inline inspection, resulting in robust protection against zero day threats and the newest HTML smuggling attacks. By examining content inline Zscaler neutralizes threats prior to reaching an endpoint—providing organizations peace of mind: they can protect their data while employees remain productive and embrace the latest web technologies without compromising security.

Learn more about Zscaler’s AI-powered threat detection and how it keeps users safe from evolving attack vectors like reassembly attacks, HTML smuggling and WASM-based malware.