Mandiant researchers have devised a novel method to circumvent browser isolation technology, leveraging QR codes for command-and-control (C2) operations.
Browser isolation is one of the key defenses against malicious web content. It works by executing web page scripts and rendering content on a remote server, transmitting only a visual representation of the page to the local browser. This separation shields local devices from harmful code.
Traditionally, browser isolation disrupts HTTP-based communication between malware and C2 servers, rendering many attack vectors ineffective. However, Mandiant’s new method exploits the visual content of web pages, bypassing isolation controls.
Instead of embedding commands in HTTP responses, the new approach encodes commands in QR codes displayed on web pages. Because the pixel stream of the visual content is transmitted to the user’s device, the QR codes can reach the infected endpoint even through browser isolation.
In Mandiant’s proof of concept (PoC), the victim's machine, already compromised by malware, uses a headless browser client to capture and decode the QR code. The decoded instructions facilitate communication between the implant and the attacker-controlled server.
The method works across all types of browser isolation—remote, on-premises, and local—because it relies on visual content, not network-level interactions.
However, Mandiant notes that the technique has some practical limitations such as data size (QR codes with more than 2,189 bytes of content proved unreliable due to poor visual quality in the rendered stream); latency (each C2 request incurs a delay of approximately five seconds due to the rendering and scanning process); detection potential (security features like domain reputation analysis, data loss prevention, and behavioral heuristics remain unaddressed in Mandiant’s research).