Lmst

2025-05-09 (Friday): #KoiLoader / #KoiStealer activity still happens. It's the same type of distribution chain and infection characteristics as always.

Example of downloaded zip archive available at:

- https://bazaar.abuse.ch/sample/3523653959c0083b7e106a71dd99acc03ccf09cb3452b9b65dcf17005917e389/
- https://tria.ge/250510-a2fw5sek3y
- https://app.any.run/tasks/3adefb51-8ab1-417e-9725-1848c0a071ee

List of several URLs seen recently that return a zip archive containing a Windows shortcut for Koi Loader / Koi Stealer.

Screenshot of a web browser when downloading one of the zip archives for Koi Loader / Koi Stealer from one of the Google Sites URLs.

Examining the Windows shortcut extracted from the downloaded zip archive. The shortcut runs PowerShell script to infect a host with Koi Loader / Koi Stealer.

Traffic from a Koi Loader / Koi Stealer infection filtered in Wireshark.

2025-01-23 (Thursday): Windows EXE impersonating an installer submitted to VT on 2024-11-29 leads to #KoiLoader / #KoiStealer infection. A #pcap of the infection traffic, the associated malware/artifacts, and some of the indicators are available at https://malware-traffic-analysis.net/2025/01/23/index.html

I normally see Koi Loader/Stealer infection chains starting with zip-ed Windows shortcuts (.lnk files) from malicious sites[.]google[.]com URLs. This one started with a Windows EXE that caused the same type of PowerShell command line for Koi Loader/Stealer that I always see from those .lnk files.

Found the EXE to kick off this chain from a report by someone at the An Xin Threat Intelligence Center at: https://www.secrss.com/articles/73274

English ranslation: https://www-secrss-com.translate.goog/articles/73274?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp