Home

Published

- 8 min read

Cache Me If You Can: Smuggling Malware Through Browser

By William OGOU
Browser Cache Smuggling DLL Hijacking Microsoft Teams Malware Delivery Red Team Browser Security Threat Detection
img of Cache Me If You Can: Smuggling Malware Through Browser

Cyber attackers are always finding new ways to get around security defenses. While most threats like bad email attachments and suspicious network traffic are now easier to catch, a newer technique called Browser Cache Smuggling is starting to gain attention.

First revealed at Insomni’hack 2025, this method uses the browser’s cache and a trick called DLL proxying to secretly deliver malware through trusted apps like Microsoft Teams and OneDrive—without triggering most security tools.

In this post, we’ll explain how this attack works, why it’s so hard to detect, and how you can protect against it.

What is Browser Cache Smuggling? A Two-Act Play

At its core, Browser Cache Smuggling is an attack that leverages the browser’s natural caching mechanism to sneak a malicious payload onto a victim’s machine. To enhance efficiency and speed, modern browsers cache static files like images, JavaScript, and CSS. Attackers exploit this fundamental behavior in a two-stage process:

  • The Smuggle (Payload Delivery): The attacker tricks the user’s browser into downloading and caching a malicious file (typically a DLL) disguised as a harmless asset, like an image.
  • The Retrieval & Execution (Payload Activation): Through social engineering, the attacker convinces the user to run a simple command that finds the cached malware, moves it to a strategic location, and lets a trusted application execute it.

This technique is potent because neither stage, on its own, looks particularly malicious to many security tools. There are no suspicious email attachments, and the final execution is launched by a legitimate, signed application like Microsoft Teams.

The Attack Chain: A Step-by-Step Deep Dive

This attack is more than a simple trick; it’s a weaponized technique that chains together several concepts for maximum impact and stealth.

Step 1: The Lure — Hiding a DLL in Plain Sight

The attacker’s first challenge is to get the malicious DLL onto the target’s computer. They begin by hosting this DLL on a webpage they control. However, to get the browser to cache it, they manipulate the HTTP Content-Type header.

For example, when the browser requests a file, the server responds by saying, “Here is the file, and by the way, it’s an image/jpeg.” The browser, trusting this header, caches the file as if it were a standard image. In reality, the file’s content is the attacker’s malicious DLL. The browser doesn’t validate the file’s actual content against the header; it simply trusts what the web server tells it.

Step 2: Social Engineering — The PowerShell One-Liner

Once the malicious DLL is nestled in the browser’s cache on the victim’s machine, the attacker needs a way to retrieve and execute it. This is where social engineering comes in. The attacker might contact the user, posing as IT support:

“Hello, we detected a minor issue with your Teams application after a recent update. Please open PowerShell and run this command to apply a quick fix. It will resolve the problem.”

The command they provide doesn’t download anything from the internet, which would be a major red flag. Instead, it’s a seemingly harmless script that searches for a specific file already on the local machine and moves it. This script scans the browser’s cache directory (e.g., C:\Users\[Username]\AppData\Local\Mozilla\Firefox\Profiles\...\cache2\entries) for the hidden DLL and copies it to a critical application directory, such as the localappdata folder for Microsoft Teams.

Step 3: The Hijack — Abusing Trusted Applications and DLL Search Order

This is the linchpin of the attack. Why Microsoft Teams or OneDrive?

  • They are ubiquitous in enterprise environments.
  • They are trusted applications that communicate frequently over HTTPS, making their network traffic ideal for hiding a command-and-control (C2) beacon.
  • Critically, they are often installed in the user’s localappdata directory, which is writable by a standard user without requiring administrative privileges.
  • They rely on the Windows DLL search order. When Teams.exe launches, it looks for necessary DLLs (like VERSION.dll or dbghelp.dll) in a specific order, starting with the directory from which the application was loaded.

By placing the malicious, forged VERSION.dll into the Teams directory, the attacker ensures that the next time the user starts Teams, the application will load the attacker’s DLL instead of the legitimate one located in C:\Windows\System32\.

Step 4: Execution with Stealth — DLL Proxying

If the attacker’s DLL simply contained malware, Microsoft Teams would likely crash, as it wouldn’t find the legitimate functions it expects to see in VERSION.dll. To avoid this, the attacker uses DLL proxying.

The malicious DLL is crafted to do two things:

  • Execute the Malicious Payload: It launches the attacker’s beacon or reverse shell, establishing a C2 connection.
  • Forward Legitimate Calls: It acts as a “proxy,” forwarding all legitimate API calls that Teams makes to the real VERSION.dll in the System32 directory.

The result? The malware executes, the C2 channel is established, and Microsoft Teams launches and functions perfectly normally, raising no suspicion from the user.

Why This Technique is So Effective

  • Bypasses Network Security: The payload is delivered disguised as benign web content, evading many network-based security solutions.
  • Abuses Trusted Applications: Execution is initiated by a signed, legitimate Microsoft application, making it difficult for EDR and antivirus tools to flag as inherently malicious.
  • Requires No Administrative Rights: The entire chain, from caching the file to moving it into the Teams directory, can be performed by a standard user.
  • High Stealth: The use of DLL proxying ensures the host application remains stable, and C2 traffic is blended with legitimate Teams/OneDrive HTTPS traffic.

Defending Against Browser Cache Smuggling: Detection & Mitigation

Protecting against such a multi-faceted attack requires a layered defense strategy.

Prevention & Hardening (The Left-of-Boom Actions):

  • Restrict Scripting Engines: The retrieval phase relies on PowerShell. For users who do not need it (e.g., in HR or finance), use application control solutions like Windows Defender Application Control (WDAC) or AppLocker to restrict access to PowerShell, Python, and other scripting engines.
  • Don’t Install Tools in localappdata: Where possible, avoid installing applications in user-writable directories. While this is the default for Teams, it’s a known risk factor.
  • Configure Browser Cache Policies: Use Group Policy Objects (GPOs) to force browsers to clear their cache on exit. For Google Chrome, for example, configuring the ClearBrowsingDataOnExit registry key can effectively delete cached files when the session ends, erasing the smuggled DLL before it can be used.
  • Enforce Code Signing for PowerShell: If PowerShell is required, configure its execution policy to only allow scripts signed by trusted internal CAs.

Detection & Monitoring (The Right-of-Boom Actions):

  • Monitor Browser Cache Access: This is the most effective detection strategy. Create monitoring rules that raise a high-priority alert if any process other than a legitimate browser (e.g., powershell.exe, cmd.exe) attempts to read from or access browser cache databases or directories. There is rarely a legitimate reason for this behavior.
  • Monitor File Movements: Watch for suspicious file creation or modification in critical application directories like the Teams localappdata folder.
  • Utilize Threat Intelligence: Keep informed about emerging attack patterns and their indicators of compromise (IoCs) through threat intelligence feeds.

Conclusion: The Evolving Battlefield

Browser Cache Smuggling is a powerful example of how attackers creatively chain together legitimate system functions to create a stealthy and effective attack path. It demonstrates a deep understanding of browser mechanics, Windows processes, and human behavior. For defenders, it’s a critical reminder that security cannot be focused on a single point of failure. We must adopt a defense-in-depth strategy that includes robust system hardening, vigilant behavioral monitoring, and continuous user education to stay ahead of these evolving threats. The browser is a window to the world, and we must ensure it doesn’t become an open door for adversaries.

To further enhance your cloud security and implement Zero Trust, contact me on LinkedIn Profile or [email protected].

Browser Cache Smuggling FAQ:

  • What is Browser Cache Smuggling? It is a malware delivery technique where an attacker tricks a user’s web browser into caching a malicious file (like a DLL) disguised as a harmless one (like an image). The attacker then uses social engineering to get the user to run a script that moves this cached file to a location where a trusted application (like Microsoft Teams) will execute it.
  • Why is this attack method considered stealthy? It’s stealthy because it avoids common detection triggers. The payload is not an email attachment, the download is disguised as benign web traffic, and the final execution is launched by a legitimate, signed application. The use of DLL proxying also prevents the host application from crashing, further reducing suspicion.
  • Does this exploit a vulnerability in the browser or in Microsoft Teams? It doesn’t exploit a traditional software vulnerability in the sense of a code flaw. Instead, it abuses the expected behavior of several components: the browser’s caching mechanism, the Windows DLL search order, and the user’s trust in applications like Teams.
  • How can I protect my organization from this attack? A layered approach is best: restrict scripting engines for users who don’t need them (via WDAC/AppLocker), configure browsers to clear the cache on exit using GPOs, and implement monitoring rules to detect suspicious access to browser cache directories by non-browser processes.
  • What is DLL Proxying and why is it used here? DLL Proxying is a technique where an attacker creates a malicious DLL with the same name and exported functions as a legitimate DLL. When the application loads the malicious DLL, it executes the attacker’s code and forwards the legitimate function calls to the real DLL. This is used to maintain the stability of the host application (e.g., Teams) and avoid crashes that would alert the user.

Relevant Resource List:

  • Rewterz: “Teams Malware Deployment Possible via Browser Cache Smuggling”
  • Orange Cyberdefense Blog: “Browser Cache Smuggling: the return of the dropper”
  • Arete: “Browser Threats Evolve to Distribute Malware Through OneDrive and Microsoft Teams”
  • Insomni’hack Talk: “Cache Me If You Can: Smuggling Payloads Via Browser Caching Systems” by Aurélien Chalot (The original technical presentation).
  • Microsoft Documentation on DLL Search Order: (For understanding the core mechanism of the hijack).
  • Google Chrome Enterprise Policy List: (For details on ClearBrowsingDataOnExit and other GPOs).