{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/headless-browser/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-and-control","headless-browser","file-download","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential file downloads via headless browsers on Windows systems. Attackers abuse headless browser capabilities (chrome.exe, msedge.exe, brave.exe, browser.exe, dragon.exe, vivaldi.exe) to download files, proxy traffic, and bypass application control policies. The technique leverages trusted, signed binaries to evade security restrictions, effectively using the browser as a covert download tool. The activity is characterized by a headless browser being launched from a suspicious parent process, such as a script host, Office application, or command shell, with arguments that facilitate scripted content retrieval like \u003ccode\u003e--headless*\u003c/code\u003e, \u003ccode\u003e--dump-dom\u003c/code\u003e, \u003ccode\u003e*http*\u003c/code\u003e, and \u003ccode\u003edata:text/html;base64,*\u003c/code\u003e. Defenders should monitor for such anomalous browser behavior to identify and prevent malicious file downloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user unknowingly executes a malicious script or document (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe script (e.g., PowerShell, VBScript) or document macro initiates a process, such as cmd.exe or powershell.exe.\u003c/li\u003e\n\u003cli\u003eThe parent process spawns a headless browser instance (chrome.exe, msedge.exe, etc.) with the \u003ccode\u003e--headless\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eAdditional arguments are passed to the headless browser to specify a URL for download or base64 encoded content (\u003ccode\u003e--dump-dom *http*\u003c/code\u003e, \u003ccode\u003edata:text/html;base64,*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe headless browser retrieves the content from the specified URL or decodes the base64 data.\u003c/li\u003e\n\u003cli\u003eThe browser saves the downloaded content to disk, often in a user-writable directory.\u003c/li\u003e\n\u003cli\u003eThe initial script or document executes the downloaded file or uses it for further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as establishing persistence, exfiltrating data, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, data compromise, and system compromise. Attackers can use this technique to download malware, bypass security controls, and establish a foothold in the compromised system. The impact can range from individual workstation compromise to large-scale network infiltration, depending on the attacker\u0026rsquo;s objectives and the privileges of the compromised user.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious headless browser activity, tuning for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging and command-line auditing to capture the necessary data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rules, focusing on the parent process, browser arguments, and downloaded file artifacts.\u003c/li\u003e\n\u003cli\u003eReview and harden application control policies to restrict the execution of headless browsers from suspicious parent processes.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from headless browsers to identify potential command and control traffic or data exfiltration attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:34:19Z","date_published":"2026-04-06T15:34:19Z","id":"/briefs/2026-06-headless-browser-download/","summary":"Detects the execution of headless browsers from suspicious parent processes with arguments indicative of scripted retrieval, bypassing application control policies and restrictions on direct download tools.","title":"Potential File Download via a Headless Browser","url":"https://feed.craftedsignal.io/briefs/2026-06-headless-browser-download/"}],"language":"en","title":"CraftedSignal Threat Feed — Headless-Browser","version":"https://jsonfeed.org/version/1.1"}