Brad
LightNews LightNews
banner
malware-traffic-analysis.net
Brad
@malware-traffic-analysis.net
870 followers 95 following 140 posts
Sharing information on malicious network traffic and malware samples at https://www.malware-traffic-analysis.net/
Posts Replies Media Videos
malware-traffic-analysis.net
2025-11-11 (Tuesday): Cryptocurrency #scam starts with an email. Potential victims must click through several web pages to finish the process. I recorded a video showing what I did after the last image in this post at youtu.be/yUV7OkQqSBk

More info on this activity at github.com/PaloAltoNetw...
The scam starts with an email that links to a suspicious web page. I've somehow earned $138,246.83 USD... Let's go down this rabbit hole! Hey, these pages say I already have an account, but I've not been on it for 364 days... Those fools! I'd better click my way through this. Wow, an account I didn't even know I had! I just want my money. Better keep on clicking! A progress bar? What the what??? This made me wait several minutes before I could continue. See the video at https://youtu.be/yUV7OkQqSBk for what happened after.
November 12, 2025 at 4:01 AM
malware-traffic-analysis.net
2025-10-16 (Thursday): Unidentified #stealer/#Loader found when searching for URLs that follow patterns previously seen for Koi Loader/Koi Stealer.

Details at github.com/malware-traf...
Page to download the initial file. HTTPS URLs seen from the infection. Traffic from the infection filtered in Wireshark. Example of post-infection data exfiltration traffic.
October 16, 2025 at 5:18 PM
malware-traffic-analysis.net
2025-10-10 (Friday): Was looking for Koi Loader/Koi Stealer, and I found this #WebDAV server that hosted malicious Windows shortcut (#LNK) files.

Not sure what type of #malware this is, but it's not Koi Stealer.

Details at github.com/malware-traf...
Malicious Windows shortcut (LNK) files on the WebDAV server. Both are the same file with different names. Traffic from the initial infection filtered in Wireshark. Malware that was persistent on the infected Windows host. Post-infection traffic generated by the peristent malware.
October 11, 2025 at 1:16 AM
malware-traffic-analysis.net
2025-10-08 (Wednesday): #Kongtuke campaign fake CAPTCHA page with #ClickFix instructions. Got a full infection chain, this time. A 205MB zip download makes the #pcap take a while to load in Wireshark. Some IOCs and associated malware/artifacts at www.malware-traffic-analysis.net/2025/10/08/i...
Traffic from the infection filtered in Wireshark. Page from a compromised site with injected Kongtuke script. Fake CAPTCHA page, courtesy of the Kongtuke campaign. Following instructions from the Kongtuke campaign's fake CAPTCHA page.
October 9, 2025 at 4:48 AM
malware-traffic-analysis.net
2025-10-06 (Monday): A collection of 200+ phishing emails in Japanese that were sent to my blog email addresses. Available at www.malware-traffic-analysis.net/2025/10/06/i...
Screen shot of the blog post.
October 7, 2025 at 3:41 AM
malware-traffic-analysis.net
2025-10-02 (Thursday): #pcap and some images from an Android malware infection at www.malware-traffic-analysis.net/2025/10/02/i...
Screenshot of icon for the malicious app on a cell phone. Screenshot of the login screen for the malicious app on a cell phone. It's asking me to place a credit card on the phone. Traffic from an infection filtered in Wireshark.
October 7, 2025 at 2:59 AM
malware-traffic-analysis.net
2025-10-01 (Wed) I've posted #malware samples and a #pcap of the post-infection traffic from an infection by possible #Rhadamanthys malware at www.malware-traffic-analysis.net/2025/10/01/i...

This is from a file disguised as a cracked version of software, and I usually see #LummaStealer from this.
Screenshot of the page from my website with the post for this information. Example of path to download the initial 7-zip archive for the malware. Page with the download for the initial 7-zip archive. Traffic from the possible Rhadamanthys malware, filtered in Wireshark.
October 6, 2025 at 6:52 PM
malware-traffic-analysis.net
Time to update this movie for Halloween.
October 2, 2025 at 4:06 PM
malware-traffic-analysis.net
2025-09-29 (Monday): Follow-up to my post last week. I've been seeing one or two of these emails almost every day. Details on the latest example at github.com/malware-traf...
Screenshot of the email. Screenshot of webpage for the malware download. Downloaded installer EXE showing digital signature and metadata. Scheduled task to keep the infection persistent.
September 30, 2025 at 5:04 PM
malware-traffic-analysis.net
2025-09-25 (Thursday): Received an email distributing a malicious installer for an #RMM tool. Details at github.com/malware-traf...
Screenshot of the email. Screenshot of webpage for the malware download. Downloaded malware EXE showing digital signature and metadata. Scheduled task to keep the infection persistent.
September 28, 2025 at 5:19 PM
malware-traffic-analysis.net
2025-09-24 (Wednesday): #LummaStealer infection with follow-up malware, possibly #Ghostsocks or #GoBackdoor. A #pcap of the infection traffic, malware samples, and list of indicators available at www.malware-traffic-analysis.net/2025/09/24/i...
Screesnhot of the page from my blog with the traffic, malware files, and indicators of compromise for this Lumma Stealer infection. Downloading the initial zip archive for this malware. Extracting the malware EXE from the nested archive files. Traffic from an infection filtered in Wireshark.
September 28, 2025 at 1:51 AM
malware-traffic-analysis.net
2025-09-22 (Monday) #SmartApeSG campaign using #FileFix style #ClickFix technique on its fake CAPTCHA page for #NetSupportRAT. Script sent to victim through #clipboardhijacking downloads MSI from founderevo[.]com/res/velvet when pasted into a File Manager window (www.virustotal.com/gui/file/958...)
September 22, 2025 at 7:20 PM
malware-traffic-analysis.net
2025-09-03 (Wednesday): #Kongtuke fake CAPTCHA page leads to #ClickFix style script for #LummaStealer

A #pcap of the infection traffic, the associated malware, and IOCs are at www.malware-traffic-analysis.net/2025/09/03/i...
Kongtuke style injected script in page from compromised website Fake CAPTCHA page that performs clipboard hijacking (pastejacking) showing the ClickFix style instructions and malicious script a victim would paste into a Run window or command line terminal. Location of the downloaded zip archive for Lumma Stealer, and the content of that zip archive in the user's AppData\Roaming directory. Traffic from an infection filtered in Wireshark.
September 3, 2025 at 6:13 PM
malware-traffic-analysis.net
2025-08-20 (Wed): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2. Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/i...
Fake CAPTHA page generated by SmartApeSG script injected into compromised website. ClickFix instructions from the fake CAPTCHA page. Traffic from the infection filtered in Wireshark. Script and traffic to download and run MSI file to install NetSupport RAT
August 20, 2025 at 11:21 PM
malware-traffic-analysis.net
2025-08-20 (Wed): #Kongtuke still using #FileFix style #ClickFix instructions on its fake CAPTCHA pages. I never got any further than the HTTP POST request that sends information about the infected system host. Details at: github.com/malware-traf...
Page from compromised site displaying fake CAPTCHA page. Traffic/URLs from the Kongtuke activity. Example of HTTP POST request sending a victim's host information. In this example of HTTP POST request sending a victim's host information, I never got more than a 200 OK response and no further content.
August 20, 2025 at 5:10 PM
malware-traffic-analysis.net
2025-08-15 (Friday): Information from a social media post I wrote for my employer about a #LummaStealer infection leading to #SectopRAT (#ArechClient2). A #pcap of the infection traffc, along with the associated #malware and artifacts are available at www.malware-traffic-analysis.net/2025/08/15/i...
An image displaying the URL chain followed to get the initial zip archive downloaded for this infection. An image displaying the extractioin chain to get the malicious setup files that installed Lumma Stealer. Traffic from the infection filtered in Wireshark. SectopRAT persistent on an infected Windows host.
August 15, 2025 at 11:11 PM
malware-traffic-analysis.net
2025-08-13 (Wednesday): #LummaStealer infection. The associated #malware, artifacts, a #pcap of the #Lumma Stealer traffic, and indicators of compromise are available at www.malware-traffic-analysis.net/2025/08/13/i...
Screenshot of a Facebook post that linked to a page providing the password-protected 7-zip archive for Lumma Stealer. The archive is named "NCH Debut Video Capture Software Pro 11.2 Beta Crack full version.7z" in an attempt to disguise it as a software crack. Extracting a malicious Windows executable file that will install Lumma Stealer from the password-protected 7-zip archive. The extracted file is named "NCH Debut Video Capture Software Pro 11.2 Beta Crack full version.exe" in an attempt to disguise it as a software crack. Traffic from the Lumma Stealer infection after running "NCH Debut Video Capture Software Pro 11.2 Beta Crack full version.exe" on a vulnerable Windows host. Note the unusual DNS query for iUlWkftUnbTjqPSDLGsNPpSG.iUlWkftUnbTjqPSDLGsNPpSG that happened before the HTTPS Lumma Stealer C2 traffic to secrequ[.]top. Files seen from the Lumma Stealer infection in the user's AppData\Local\Temp directory. The .a3x file for Lumma Stealer wasn't on the disk when I conducted forensic analysis on the infected host. Note that the file names and file extension (.midi) will be different if I try the same type of infection run again tomorrow.
August 14, 2025 at 1:45 AM
malware-traffic-analysis.net
2025-08-11 (Monday): Quick post of an #XLoader ( #Formbook ) infection, with a #pcap, email, and #malware sample available at www.malware-traffic-analysis.net/2025/08/11/i...
August 12, 2025 at 2:32 PM
malware-traffic-analysis.net
2025-07-23 (Wednesday): Ten days of scans and probes and web traffic hitting my web server. A #pcap of the traffic is available at www.malware-traffic-analysis.net/2025/07/23/i...
Screenshot of the page from my web site to download a password-protected zip archive containing the pcap.
July 24, 2025 at 2:31 AM
malware-traffic-analysis.net
2025-07-22 (Tuesday): Tracking the #SmartApeSG campaign using #ClickFix to push #NetSupportRAT. Details at: github.com/malware-traf...
July 22, 2025 at 6:58 PM
malware-traffic-analysis.net
2025-07-17 (Thursday): Tracking the #SmartApeSG campaign for #ClickFix pages pushing #NetSupportRAT. Details at github.com/malware-traf...
July 17, 2025 at 2:09 PM
malware-traffic-analysis.net
2025-07-15 (Tuesday): #LummaStealer infection with #SecTopRAT. A #pcap of the #Lumma traffic and #SecTop #RAT activity, the #malware / artifacts from an infection, and the associated IOCs are available at www.malware-traffic-analysis.net/2025/07/15/i...
Traffic from an infection filtered in Wireshark.
July 16, 2025 at 2:13 AM
malware-traffic-analysis.net
2025-07-15 (Tuesday): Some different IOCs from the #SmartApeSG #ClickFix page today.

warpdrive[.]top <-- domain used for SmartAgeSG injected script and to display ClickFix page.

sos-atlanta[.]com <-- domain from script injected into clipboard and to retrieve #NetSupportRAT malware package
July 15, 2025 at 7:18 PM
malware-traffic-analysis.net
2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.
Screenshot of ClickFix-style fake verification page with text for the script injected into the viewer's hijacked clipboard. HTTPS URLs seen during this infection chain. Traffic from an infection filtered in Wireshark. NetSupport RAT persistent on an infected Windows host through a Windows registry update.
July 14, 2025 at 11:22 PM
malware-traffic-analysis.net
2025-07-03 (Thursday): #FileFix style #ClickFix page from #Kongtuke injected script in page from legitimate site at besthotelshome[.]com.

The mr.d0x article announcing FileFix calls it a ClickFix alternative, but it's really a -variant- of ClickFix. Just using File Manager instead of a Run window.
July 3, 2025 at 5:40 PM