<style>/*<link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=5925999397593177003&zx=549ba777-7104-4cf3-8acd-6ab59774fdef' media='none' onload='if(media!='all')media='all'' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=5925999397593177003&zx=549ba777-7104-4cf3-8acd-6ab59774fdef' rel='stylesheet'/></noscript>
<meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/>
<meta name='google-adsense-platform-domain' content='blogspot.com'/>

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2460228594947362&host=ca-host-pub-1556223355139109" crossorigin="anonymous"></script>

<!-- data-ad-client=ca-pub-2460228594947362 -->

</head><body>*/</style>

Use of CSS stuffing as an obfuscation technique?, (Fri, Nov 21st)

Sp123

21 Nov, 2025

From time to time, it can be instructive to look at generic phishing messages that are delivered to one’s inbox or that are caught by basic spam filters. Although one usually doesn’t find much of interest, sometimes these little excursions into what should be a run-of-the-mill collection of basic, commonly used phishing techniques can lead one to find something new and unusual. This was the case with one of the messages delivered to our handler inbox yesterday…

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: Use of CSS stuffing as an obfuscation technique? - SANS ISC

1 post - 1 participant

Read full topic

Malware Analysis, News and Indicators - Latest topics

Sp123

"The real threat is actually not when the computer begins to think like a human, but when humans begin to think like computers."

<style>/*
<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/3121834124-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY54XEWMUej08AEMRsTv6UmYhdxkVg:1764142624283';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d5925999397593177003','//www.sharitsec.eu.org/2025/11/use-of-css-stuffing-as-obfuscation.html','5925999397593177003');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '5925999397593177003', 'title': 'SharITSec', 'url': 'https://www.sharitsec.eu.org/2025/11/use-of-css-stuffing-as-obfuscation.html', 'canonicalUrl': 'https://www.sharitsec.eu.org/2025/11/use-of-css-stuffing-as-obfuscation.html', 'homepageUrl': 'https://www.sharitsec.eu.org/', 'searchUrl': 'https://www.sharitsec.eu.org/search', 'canonicalHomepageUrl': 'https://www.sharitsec.eu.org/', 'blogspotFaviconUrl': 'https://www.sharitsec.eu.org/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': true, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': '', 'encoding': 'UTF-8', 'locale': 'en-GB', 'localeUnderscoreDelimited': 'en_gb', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22SharITSec - Atom\x22 href\x3d\x22https://www.sharitsec.eu.org/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22SharITSec - RSS\x22 href\x3d\x22https://www.sharitsec.eu.org/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22SharITSec - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/5925999397593177003/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22SharITSec - Atom\x22 href\x3d\x22https://www.sharitsec.eu.org/feeds/6747670092642750108/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseClientId': 'ca-pub-2460228594947362', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': true, 'adsenseAutoAds': true, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/48d454be0db742d2', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'X', 'key': 'twitter', 'shareMessage': 'Share to X', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en_GB\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'item', 'postId': '6747670092642750108', 'pageName': 'Use of CSS stuffing as an obfuscation technique?, (Fri, Nov 21st)', 'pageTitle': 'SharITSec: Use of CSS stuffing as an obfuscation technique?, (Fri, Nov 21st)', 'metaDescription': ''}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard', 'ok': 'Ok', 'postLink': 'Post link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': true, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Use of CSS stuffing as an obfuscation technique?, (Fri, Nov 21st)', 'description': 'Welcome to the website \x22sharitsec.eu.org\x22 a gathering place for information and learning news about hacking.', 'url': 'https://www.sharitsec.eu.org/2025/11/use-of-css-stuffing-as-obfuscation.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 6747670092642750108}}, {'name': 'widgets', 'data': [{'title': 'Pagination', 'type': 'HTML', 'sectionId': 'upload-image', 'id': 'HTML8'}, {'title': 'Template License', 'type': 'HTML', 'sectionId': 'upload-image', 'id': 'HTML7'}, {'title': 'Popular', 'type': 'PopularPosts', 'sectionId': 'upload-image', 'id': 'PopularPosts1', 'posts': [{'title': 'Malware Trends Overview Report: 2024', 'id': 1211999168953407251}, {'title': 'Draft UK Cyber Security and Resilience Bill Enters UK Parliament', 'id': 9209562658772008596}, {'title': 'Top 10 Deep Web and Dark Web Forums', 'id': 1342649630186364928}]}, {'title': 'Your Css', 'type': 'HTML', 'sectionId': 'upload-image', 'id': 'HTML9'}, {'title': 'About Me', 'type': 'Profile', 'sectionId': 'upload-image', 'id': 'Profile1'}, {'title': 'Your Javascript', 'type': 'HTML', 'sectionId': 'upload-image', 'id': 'HTML6'}, {'title': 'Google analytics', 'type': 'HTML', 'sectionId': 'upload-image', 'id': 'HTML5'}, {'title': 'Navbar Menu', 'type': 'HTML', 'sectionId': 'upload-image', 'id': 'HTML2'}, {'title': 'Icons, Dark, Search', 'type': 'LinkList', 'sectionId': 'header-main', 'id': 'LinkList10'}, {'title': 'Menu', 'type': 'LinkList', 'sectionId': 'header-main', 'id': 'LinkList11'}, {'title': 'Featured Post', 'type': 'FeaturedPost', 'sectionId': 'before-blog', 'id': 'FeaturedPost1', 'postId': '2799242630112721892'}, {'title': 'Blog Posts', 'type': 'Blog', 'sectionId': 'blog-post', 'id': 'Blog1', 'posts': [{'id': '6747670092642750108', 'title': 'Use of CSS stuffing as an obfuscation technique?, (Fri, Nov 21st)', 'showInlineAds': false}], 'headerByline': {'regionName': 'header1', 'items': [{'name': 'author', 'label': 'Posted by'}, {'name': 'timestamp', 'label': 'd MMM, yyyy'}, {'name': 'share', 'label': ''}]}, 'footerBylines': [{'regionName': 'footer1', 'items': [{'name': 'comments', 'label': 'Comment'}]}, {'regionName': 'footer2', 'items': [{'name': 'labels', 'label': 'Labels:'}]}], 'allBylineItems': [{'name': 'author', 'label': 'Posted by'}, {'name': 'timestamp', 'label': 'd MMM, yyyy'}, {'name': 'share', 'label': ''}, {'name': 'comments', 'label': 'Comment'}, {'name': 'labels', 'label': 'Labels:'}]}, {'title': '#You may also like', 'type': 'HTML', 'sectionId': 'ads-post', 'id': 'HTML15'}, {'title': 'Popular Posts', 'type': 'PopularPosts', 'sectionId': 'sidebar-static', 'id': 'PopularPosts10', 'posts': [{'title': 'Malware Trends Overview Report: 2024', 'id': 1211999168953407251}, {'title': 'Draft UK Cyber Security and Resilience Bill Enters UK Parliament', 'id': 9209562658772008596}, {'title': 'Top 10 Deep Web and Dark Web Forums', 'id': 1342649630186364928}, {'title': 'What\u2019s New in GravityZone November 2025 (v 6.68)', 'id': 2246776747786142126}, {'title': 'Top 5 IoC Search \x26 Enrichment Platforms', 'id': 2542471219401146933}]}, {'title': 'Archive', 'type': 'BlogArchive', 'sectionId': 'sidebar-static', 'id': 'BlogArchive10'}, {'title': '#Recent Post', 'type': 'HTML', 'sectionId': 'sidebar-static', 'id': 'HTML19'}, {'title': 'Copyright', 'type': 'HTML', 'sectionId': 'copyright', 'id': 'HTML23'}, {'title': 'SVG Icons', 'type': 'HTML', 'sectionId': 'jet-options', 'id': 'HTML24'}]}]);
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML8', 'upload-image', document.getElementById('HTML8'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML7', 'upload-image', document.getElementById('HTML7'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_PopularPostsView', new _WidgetInfo('PopularPosts1', 'upload-image', document.getElementById('PopularPosts1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML9', 'upload-image', document.getElementById('HTML9'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_ProfileView', new _WidgetInfo('Profile1', 'upload-image', document.getElementById('Profile1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML6', 'upload-image', document.getElementById('HTML6'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML5', 'upload-image', document.getElementById('HTML5'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML2', 'upload-image', document.getElementById('HTML2'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList10', 'header-main', document.getElementById('LinkList10'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList11', 'header-main', document.getElementById('LinkList11'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_FeaturedPostView', new _WidgetInfo('FeaturedPost1', 'before-blog', document.getElementById('FeaturedPost1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'blog-post', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/2005706681-lbx__en_gb.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/828616780-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML15', 'ads-post', document.getElementById('HTML15'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_PopularPostsView', new _WidgetInfo('PopularPosts10', 'sidebar-static', document.getElementById('PopularPosts10'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive10', 'sidebar-static', document.getElementById('BlogArchive10'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading\x26hellip;'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML19', 'sidebar-static', document.getElementById('HTML19'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML23', 'copyright', document.getElementById('HTML23'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML24', 'jet-options', document.getElementById('HTML24'), {}, 'displayModeFull'));
</script>
</body>*/</style>