Sharing information on malicious network traffic and malware samples.
2026-02-03 (Tuesday): #GuLoader for #AgentTesla style malware with FTP data exfiltration.
A #pcap of the infection traffic, associated files, and a list of indicators are available at https://www.malware-traffic-analysis.net/2026/02/03/index.html
Two online sandboxes tag this sample as AgentTesla, but I'm not sure what the actual name of this malware is.
- https://tria.ge/260203-tvhlyahx7c
- https://app.any.run/tasks/0840196f-2b8f-415c-8ca7-af0c8f394b0d
@netresec Lol, I've been calling this Async RAT ever since I first saw it, and no one reached out to correct me about it until now. Thanks!
@netresec Thanks! When I have time, I'll update the blog post to reflect this info!
NOTE: This has been updated to correct the malware names. Thanks, @netresec!
2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT
Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.
A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html
2026-02-01 (Sunday): It's easy enough to find #LummaStealer malware samples.
Just do a Google search for cracked versions of popular software and specify site:drive.google.com.
Details on today's haul at https://github.com/malware-traffic/indicators/blob/main/2026-02-01-Google-Drive-links-lead-to-Lumma-Stealer.txt
2026-01-31 (Friday): I've posted a new traffic analysis exercise. It's Lumma in the room-ah! Join the fun at https://www.malware-traffic-analysis.net/2026/01/31/index.html
I mean, this guy looks like he's having fun.
2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at https://www.malware-traffic-analysis.net/2026/01/06/index.html
I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at https://www.malware-traffic-analysis.net/2026/index.html
Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.
2026-01-19 (Monday): Catching up on two infections in my lab from last week, and I added an entry with a #pcap of scans and probes and web traffic hitting my web server.
I attempted to set up MongoDB on my server to detect any "MongoBleed" CVE-2025-14847 activity, but I was unable to configure the server properly.
I opened TCP port 27017 on my Apache web server, and I'm only receiving web scans/probes on that port.
Feel free to check out my latest posts at https://www.malware-traffic-analysis.net/2026/index.html
Or not. I'm not your parent. I can't tell you what to do.
ISC Diary: Infection repeatedly adds scheduled tasks & increases traffic to same C2 domain https://isc.sans.edu/diary/32628
@netresec @james_inthe_box I forgot that I saw something identifying VIP Recovery as Snake Keylogger back in September 2024:
https://www.malware-traffic-analysis.net/2024/09/16/index.html
But yeah, I don't think it matters much, because it's likely the same thing, whatever we call it.
2026-01-10 (Saturday): Ten days of scans, probes, and web traffic hitting my web server.
This traffic is often fun to check the URLs in the HTTP requests that would retrieve malicious content, if the exploits in the scans/probes were successful. Can get a bit repetitive, though, because it seems to be mostly for Mirai botnet-type malware.
A #pcap of the traffic is available at https://www.malware-traffic-analysis.net/2026/01/10/index.html
![HTTP stream of the last HTTP traffic in the pcap, showing a POST request that retrieves malicious content from a server at 91.92.241[.]10.](https://files.mastodon.social/cache/media_attachments/files/115/877/592/945/741/050/original/c62f4a555b9a526b.jpg)
![Using the wget command to retrieve one of the malicious files from the server at 91.92.241[.]10 on Sunday, 2026-01-11.](https://files.mastodon.social/cache/media_attachments/files/115/877/592/974/617/072/original/4b21278586caf04c.jpg)
![Example of a shell script downloaded from 91.92.241[.]10 on Sunday, 2026-01-11, likely for Mirai botnet malware.](https://files.mastodon.social/cache/media_attachments/files/115/877/593/003/106/259/original/ba2b1654e7de8917.jpg)
2026-01-09 (Friday): #VIPRecovery infection from an email attachment that contains a VBS file.
The infection process involves retrieving an image from Firebase storage. The image contains embedded base64 text that translates to a Windows EXE file.
There's another HTTPS URL that returns reversed base64 text, which translates to another EXE file that appears to be corrupt.
Those EXE files don't do anything interesting individually, and I wasn't able to figure out how everything pulls together for the VIP Recovery infection, but it does somehow.
A #pcap of the infection traffic, associated files, and more information are available at https://www.malware-traffic-analysis.net/2026/01/09/index.html
@netresec I assume it is, but I don't know how to confirm. I've seen similar URL patterns before the same type of RAT traffic over TCP port 25658 from KongTuke activity before:
- https://www.malware-traffic-analysis.net/2025/01/13/index.html
- https://www.malware-traffic-analysis.net/2025/04/04/index.html
2026-01-08 (Thursday): Got a full infection from #KongTuke campaign #ClickFix activity today.
I split the traffic from this infection into two #pcap files, and the second one is over 200 MB, because of the malware download.
Pcap files, the associated malware, artifacts, and further information is available at https://www.malware-traffic-analysis.net/2026/01/08/index.html
2026-01-07 (Wednesday): #MassLogger infection from an email attachment.
Copies of the emails, associated malware, a list of indicators, and a #pcap of the infection traffic are available at https://www.malware-traffic-analysis.net/2026/01/07/index.html
2026-01-06 (Tuesday): #SmartApeSG CAPTCHA page uses #ClickFix technique to push #RemcosRAT.
The #Remcos #RAT C2 server is at 192.144.56[.]80.
A #pcap of the traffic, the Remcos RAT #malware, and a list of indicators are available at https://www.malware-traffic-analysis.net/2026/01/06/index.html
2026-01-05 (Monday): #KongTuke domain scrroeder[.]com generated #ClickFix script for 144.31.221[.]71, but I didn't get a malware infection when I tried it today.
![Fake CAPTCHA page from KongTuke domain, scrroeder[.]com.](https://files.mastodon.social/cache/media_attachments/files/115/843/530/765/919/436/original/8e84b869c4b02a6e.jpg)
ISC Diary: Cryptocurrency Scam Emails and Web Pages As We Enter 2026 https://isc.sans.edu/diary/32594
2026-01-01 (Thursday): #LummaStealer infection with follow-up malware.
A #pcap of the infection traffic, the #Lumma #Stealer files, and a list of IOCs are available at https://www.malware-traffic-analysis.net/2026/01/01/index.html
Lumma Stealer C2 domain: offenms[.]cyou
The follow-up malware is using memory-scanner[.]cc for its C2 traffic, just like I saw on 2025-12-30. But this follow-up malware also used another C2 domain: communicationfirewall-security[.]cc
2025-12-30 (Tuesday): #LummaStealer infection with follow-up malware.
A #pcap of the infection traffic, the associated #Lumma with follow-up #malware samples, and some IOCs are available at www.malware-traffic-analysis.net/2025/12/30/index.html
I don't know what the follow-up malware is, but unlike Lumma Stealer, the follow-up malware was made persistent.
Big thanks to VirusTotal on this, because I was able to grab VirusTotal's CAPE Sandbox analysis of the Lumma Stealer sample, and it shows the URLs from the HTTPS traffic that I can't get in my lab.
If anyone knows what the follow-up malware is, please share that info!
