Lmst

2025-05-22 (Thursday): After the recent #LummaStealer disruption, I found an active sample today, so how effective was the disruption, really?

SHA256 hash for the installer EXE for Lumma Stealer:

8619bea9571a4dcc4b7f4ba494d444b8078d06dea385dc0caa2378e215636a65

Analysis:

- https://tria.ge/250523-afpxxsfm5t
- https://app.any.run/tasks/add82eaa-bdb8-43b9-885b-c0a58cc2530c

To be fair, I investigated a campaign that was pushing Lumma Stealer earlier this week, and it had switched to #StealC v2 malware earlier today (2025-05-22):

- https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-05-22-campaign-switches-from-Lumma-to-StealC-v2.txt

So the disruption was at least somewhat effective based on what I'm seeing. I don't have eyes on the criminal underground, though, so I don't know what's happening with Lumma Stealer's customers.

2025-05-06 (Tuesday): #RaspberryRobin activity - file hashes, malware samples, #WebDAV server info, and a #pcap of the infection traffic available at https://www.malware-traffic-analysis.net/2025/05/06/index.html

Traffic from the Raspberry Robin infection filtered in Wireshark.

2025-05-09 (Friday): #KoiLoader / #KoiStealer activity still happens. It's the same type of distribution chain and infection characteristics as always.

Example of downloaded zip archive available at:

- https://bazaar.abuse.ch/sample/3523653959c0083b7e106a71dd99acc03ccf09cb3452b9b65dcf17005917e389/
- https://tria.ge/250510-a2fw5sek3y
- https://app.any.run/tasks/3adefb51-8ab1-417e-9725-1848c0a071ee

List of several URLs seen recently that return a zip archive containing a Windows shortcut for Koi Loader / Koi Stealer.

Screenshot of a web browser when downloading one of the zip archives for Koi Loader / Koi Stealer from one of the Google Sites URLs.

Examining the Windows shortcut extracted from the downloaded zip archive. The shortcut runs PowerShell script to infect a host with Koi Loader / Koi Stealer.

Traffic from a Koi Loader / Koi Stealer infection filtered in Wireshark.

@chrisp Thanks for the feedback! Of note, the password is not written at all in plain text on the site. It's explained in an image. While that explanation is stated in English within the image, the password is different for each blog entry.

As far as the torrents, I won't be doing that. There's nothing so big as to require a torrent, and my site is only set up as static pages. Asking for torrents is asking me to do a bunch of extra work on something I have increasingly less time for.

Just finished restoring the last of the blog posts for 2017 on my malware-traffic-analysis.net site.

As a bit of background, Google had flagged my site as malicious, because I've been hosting malware samples, even though they're plainly marked as malware and presented in password-protected zip archives.

To keep from being blacklisted as an unsafe site, I had to take the majority of my blog entries off-line and switch to a new password scheme for the zip archives. I also found many of those old posts listed domains and URLs that I hadn't de-fanged.

That's what I've been fixing, and now the site has been fully restored for everything since 2017 on the regular blog posts.

In 2017, I made 379 posts for the entire year, not counting the traffic analysis exercises. I've fixed things about those blog posts that I now find annoying.

For example, the Hancitor entries were titled "Hancitor malspam, Subj: [subject of email]." I've always had the infection traffic and malware, but I always like to include the infection vector. Unfortunately, that makes a misleading title, and people might think those posts are -only- about the malspam.

So I re-titled those to "Hancitor infection with ZLoader" or "Hancitor infection with SendSafe spambot activity" or whatever it was based on the traffic.

I started 2017 focusing on exploit kit (EK) activity, mostly Rig EK. But by the end of 2017, the majority of my Windows-based infections came from email as the initial infection vector.

EK traffic had already been on a downward trend before 2017 due to people moving away from Internet Explorer and using other web browsers.

Overall, it's been quite the trip reviewing those blog entries from 8 years ago.

Up next? Guess I'll start digging into the 2016 blog posts to restore.

2025-04-22 (Tuesday): Always fun to find the fake CAPTCHA pages with the #ClickFix style instructions trying to convince viewers to infect their computers with malware.

Saw #StealC from an infection today.

Indicators available at https://github.com/malware-traffic/indicators/blob/main/2025-04-22-IOCs-for-ClickFix-style-campaign-leading-to-StealC-infection.txt

#ClipboardHijacking #Pastejacking

Step 2: Try one of the sites you found on the URLscan search in a web browser. It should return a fake CAPTCHA page, with a box to check/click. You have to click the box twice. It then shows instructions on how to copy and run script that's been injected into the viewer's clipboard.

Note: Make sure you do this in a controlled lab environment on a Windows host specifically used for testing malware. Don't try this on your regular Windows computer!

Step 3: Run the script to infect a Windows host. To emphasize once again, this should be done in a controlled lab environment. This image shows network traffic from an infection filtered in Wireshark and it shows C2 traffic from the StealC infection.

@en3py That's a good question. I'm curious how well the EU enforces requirements from the NIS2 Directive.

2025-04-21 (Monday): #Phishing email with both an HTML attachment and a link to a phishing page.

Both methods send login credentials to Telegram.

Phishing page URL: hxxps[:]//iipg[.]it/mail2/login-Inbox.html

Screenshot of the phishing email from 2025-04-21 with both an attached HTML file for a phishing page and a link to a phishing page.

Screenshot of phishing page from link in the email.

Script from the HTML attachment showing login credentials are sent to Telegram account.

Network traffic from the phishing site filtered in Wireshark showing traffic to api[.]telegram[.]org, indicating login credentials were sent to a Telegram account.

2025-04-17 (Thursday): I found an example of #MassLogger malware sent through #malspam. The infection traffic indicates stolen data sent to a mail server at mail.bouttases[.]fr.

Details at https://github.com/malware-traffic/indicators/blob/main/2025-04-17-IOCs-for-MassLogger-infection.txt

Screenshot of the email distributing MassLogger.

Traffic from the MassLogger infection filtered in Wireshark.

MassLogger malware persistent on an infected Windows host.

Social media post I wrote for my employer on other platforms.

2025-04-04 (Friday): Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking). These pages ask users to paste script into a Run window. Latest info at

Information from an infection run earlier today at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-04-04-IOCs-forKongTuke-web-inject-leading-to-fake-CAPTHA-page.txt

Of note, we can find legitimate websites with the injected hashtag#KongTuke script by pivoting on the KongTuke domain in URLscan:

https://urlscan.io/search/#lancasternh.com

Injected script in a page from a legitimate but compromised website.

The CAPTCHA style "Verify You Are Human" page hijacks a viewer's clipboard on a vulnerable Windows host, and it asks viewers to paste script (from the clipboard) into a Run window. This is PowerShell script that is designed to infect a Windows host with malware.

Traffic from an infection filtered in Wireshark.

Self-signed certificate seen on the C2 server for post-infection traffic using HTTPS TSLv1.0.

2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html

Compromised website showing SmartApeSG page for fake browser update.

NetSupport RAT persistent on an infected Windows host.

Zip archive and extracted files for follow-up StealC malware.

#MalspamMonday

Malspam Monday is when I check the inboxes of my honey pot accounts for anything interesting distributed through email.

Today, I found an example of #GuLoader for #Remcos #RAT

Details at https://github.com/malware-traffic/indicators/blob/main/2025-03-24-GuLoader-for-Remcos-RAT.txt

#RemcosRAT #malspam

Screenshot of the email with the malicious attachment containing GuLoader for Remcos RAT

Traffic from the infection by GuLoader for Remcos RAT filtered in Wireshark. The Remcos RAT C2 server for HTTPS traffic over TCP port 9090 uses a self-signed certficate.

A "sophisticated hacker"

Social media post I wrote about #RemcosRAT for my employer at https://www.linkedin.com/posts/unit42_remcos-rat-keylogger-activity-7304958245322768385-tu-a/ and https://x.com/malware_traffic/status/1899207006939947440

2025-03-10 (Monday): #Remcos #RAT activity. Email distribution used a zip archive attachment with a .7z file extension. During a test infection, we saw indicators of a #Keylogger and a Hacking tool to view browser passwords.

More info at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-10-IOCs-for-Remcos-RAT-activity.txt

A #pcap of the infection traffic and the associated #malware files are available at https://malware-traffic-analysis.net/2025/03/10/index.html

Screenshot of the email distributing Remcos RAT, focusing on the attached archive and its contents.

Traffic from the Remcos RAT infection filtered in Wireshark. It show information about the infected Windows host, and it also shows a Windows EXE sent over the C2 traffic. The Windows EXE is a hacker tool to view browser passwords.

Location of a text file for an offline keylogger. The image shows the beginning of the contents of this keylogger data file.

$This infection was persistent through copies of the initial malware saved to the AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup directory. This image also shows a Windows Registry update caused by the Remcos RAT infection.$

2025-03-07 (Friday): Looking into malicious email attachments. Found an email with a disk image (.img) attachment that contains a malicious Windows executable file.

Extracted malware EXE

- https://bazaar.abuse.ch/sample/a527cc6cf3249f6013cac4e14c4fdcc0642158acedcdd36dafb7006041ecae80/

Infection traffic:

- hxxp[:]/91.223.3[.]167/ITK/Kxruyuecd.dat
- 212.23.222[.]56:22003 <-- encoded/encrypted traffic

Any.Run tags it purecrypter, purelogs, netreactor, and stealer.

- https://app.any.run/tasks/f23d0fe6-63a4-46ed-9812-90315c262b15

Recorded Future's Tria.ge has it as malicious, but doesn't identify it.

- https://tria.ge/250307-xnd7qavthv