@malware-traffic-analysis.net.bsky.social
Sharing information on malicious network traffic and malware samples at https://www.malware-traffic-analysis.net/
2025-08-01 (Friday): Some info on a #LummaStealer example I found today:
github.com/malware-traf...
#Lumma
Screenshot of the page from my web site to download a password-protected zip archive containing the pcap.
2025-07-23 (Wednesday): Ten days of scans and probes and web traffic hitting my web server. A #pcap of the traffic is available at www.malware-traffic-analysis.net/2025/07/23/i...
24.07.2025 02:31 โ ๐ 7 ๐ 4 ๐ฌ 0 ๐ 0
2025-07-22 (Tuesday): Tracking the #SmartApeSG campaign using #ClickFix to push #NetSupportRAT. Details at: github.com/malware-traf...
22.07.2025 18:58 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0I'm surprised that "your RaaS" jokes haven't really been a thing yet.
22.07.2025 18:00 โ ๐ 1 ๐ 0 ๐ฌ 1 ๐ 0Verbally, that is...
21.07.2025 19:54 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0With all the recent law enforcement actions in recent years, are Ransomware-as-a-Service operators are telling everyone to "protect your RaaS" ??
21.07.2025 19:52 โ ๐ 4 ๐ 0 ๐ฌ 3 ๐ 0
2025-07-17 (Thursday): Tracking the #SmartApeSG campaign for #ClickFix pages pushing #NetSupportRAT. Details at github.com/malware-traf...
17.07.2025 14:08 โ ๐ 3 ๐ 0 ๐ฌ 0 ๐ 0
Traffic from an infection filtered in Wireshark.
2025-07-15 (Tuesday): #LummaStealer infection with #SecTopRAT. A #pcap of the #Lumma traffic and #SecTop #RAT activity, the #malware / artifacts from an infection, and the associated IOCs are available at www.malware-traffic-analysis.net/2025/07/15/i...
16.07.2025 02:13 โ ๐ 7 ๐ 3 ๐ฌ 0 ๐ 0
2025-07-15 (Tuesday): Some different IOCs from the #SmartApeSG #ClickFix page today.
warpdrive[.]top <-- domain used for SmartAgeSG injected script and to display ClickFix page.
sos-atlanta[.]com <-- domain from script injected into clipboard and to retrieve #NetSupportRAT malware package
Saw this one earlier this month from #Kongtuke: bsky.app/profile/malw...
15.07.2025 01:17 โ ๐ 1 ๐ 0 ๐ฌ 1 ๐ 0
Screenshot of ClickFix-style fake verification page with text for the script injected into the viewer's hijacked clipboard.
HTTPS URLs seen during this infection chain.
Traffic from an infection filtered in Wireshark.
NetSupport RAT persistent on an infected Windows host through a Windows registry update.
2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.
14.07.2025 23:22 โ ๐ 3 ๐ 1 ๐ฌ 1 ๐ 0Part of it was the episodic aspect, waiting a week between episodes and months between seasons. I saw the last half of the final season when it aired, and it was good. Someone told me I much watch it from the beginning because it was amazing, and I was like, "I'm okay. I already know the ending."
10.07.2025 17:53 โ ๐ 2 ๐ 0 ๐ฌ 0 ๐ 0All three use clipboard hijacking to load malicious script for a victim to paste into a File Manager/Run/Terminal window.
All three basically say, "here's a problem getting to what you want to view, so please follow these detailed instructions to continue."
From my viewpoint, here are the various types of #ClickFix pages:
#FileFix: Asks you to paste script into a File Manager window.
#RunFix: Asks you to paste script into a Run window
#TermFix: Asks you to paste script into a terminal window (cmd.exe console or PowerShell terminal).
I didn't notice it for this infection chain, and I haven't personally seen that elsewhere yet.
03.07.2025 18:28 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0So while there's been some hype around #FileFix, it's still the same type of #ClickFix technique. It's a technqiue of tricking users into clicking and pasting their way into an infection. IMHO FlieFix is just as likely to fail (or succeed) as the typical ClickFix lures we've seen up to this point.
03.07.2025 17:48 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0
2025-07-03 (Thursday): #FileFix style #ClickFix page from #Kongtuke injected script in page from legitimate site at besthotelshome[.]com.
The mr.d0x article announcing FileFix calls it a ClickFix alternative, but it's really a -variant- of ClickFix. Just using File Manager instead of a Run window.
Screenshot of downloading a password-protected 7-zip archive for Lumma Stealer through a web browser, example 1 of 2.
Screenshot of downloading a password-protected 7-zip archive for Lumma Stealer through a web browser, example 2 of 2.
Traffic from an infection filtered in Wireshark showing the Lumma Stealer C2 traffic and the Rockstun malware download and C2 traffic.
Files from an infected Windows host under the user's AppData\Loca\Temp directory.
2025-07-02 (Wednesday): Another #LummaStealer infection with follow-up #Rsockstun malware. The Lumma Stealer infection uses a password-protected 7-zip archive, a NullSoft installer, and AutoItv3. Malware samples, a #pcap and some IOCs are available at www.malware-traffic-analysis.net/2025/07/02/i...
03.07.2025 04:27 โ ๐ 2 ๐ 1 ๐ฌ 0 ๐ 0
2025-06-27 (Friday): Ran another #LummaStealer infection today and saw different follow-up malware than yesterday. Same URL for sok.exe, but a different file. Same C2 traffic using TCP port 16443, but a different domain at eset-blacklist[.]net. Analysis at www.joesandbox.com/analysis/172...
#Lumma
Injected SmartApeSG script in page from legitimate but compromised website. This injected script leads to the ClickFix page.
Example of the ClickFix page and script injected into a victim's clipboard (clipboard hijacking) that the victim is asked to paste into Run window and run.
URL sequence for the ClickFix page and the URLs for NetSupport RAT.
Traffic from the infection filtered in Wireshark, showing the NetSupport RAT C2 traffic.
2025-06-27 (Friday): #SmartApeSG script for #ClickFix page leads to #NetSupport #RAT
Details at: github.com/malware-traf...
#NetSupportRAT #ClipboardHijacking
Step 1: Downloading the malware that's distributed as a cracked version of Turnitin. Hint: It doesn't install Turnitin, it just installs Lumma Stealer.
Extracting the malware (a Windows .exe file) from the downloaded, password-protected 7-zip archive.
Traffic from the infection filtered in Wireshark.
Files dropped from this infection.
2025-06-26 (Thursday): #LummaStealer ( #Lumma ) infection leads to follow-up loader that retrieves a pen test tool hosted on Github and configures it as #malware. A #pcap of the infection traffic, the associated malware, and IOCs are available at: www.malware-traffic-analysis.net/2025/06/26/i...
27.06.2025 05:22 โ ๐ 1 ๐ 1 ๐ฌ 0 ๐ 0
Screenshot of the web page for the associated blog post.
2025-06-21 (Saturday): #KoiLoader / #KoiStealer infection. #pcap of the infection traffic, associated malware/files, and some of the indicators available at www.malware-traffic-analysis.net/2025/06/21/i...
21.06.2025 18:25 โ ๐ 3 ๐ 1 ๐ฌ 0 ๐ 0
Image showing how someone gets from a link in a social media post to arrive at the downloaded archive.
Image showing how someone would extract malware from the downloaded archive. From zip archive to password-protected 7-Zip archive to zip archive to extracted Windows executable (.exe) file.
Traffic from an infection filtered in Wireshark.
How I picture someone would actually run this malware.
2025-06-20 (Friday): Post I wrote for my employer on other social media about distribution of #malware disguised as cracked software. The malware is contained in password-protected 7-Zip archives to avoid detection. #pcap and malware files at www.malware-traffic-analysis.net/2025/06/20/i...
21.06.2025 16:03 โ ๐ 5 ๐ 2 ๐ฌ 0 ๐ 0
HTML source of page from legitimate but compromised site showing SmartApeSG injected script.
Example of a ClickFix-style page caused by the injected SmartApeSG script. A victim must click to get the popup and follow the instructions to paste and run the malicious script.
Traffic from an infection filtered in Wireshark. This shows the NetSupport RAT C2 traffic and StealC v2 traffic.
2025-06-18 (Wed): #SmartApeSG --> #ClickFix lure --> #NetSupportRAT --> #StealCv2
A #pcap of the traffic, the malware/artifacts, and some IOCs are available at www.malware-traffic-analysis.net/2025/06/18/i....
Today's the 12th anniversary of my blog, so I made this post a bit more old school.
2025-06-13 (Friday): Traffic analysis exercise: It's a trap!
www.malware-traffic-analysis.net/2025/06/13/i...
2025-06-10 (Tuesday): Ten days of scans and probes and web traffic to a webserver I run (not my blog web server, but another one). After helping a coworker review an Apache Tomcat vulnerability, I opened TCP port 8080 to accept web traffic requests. www.malware-traffic-analysis.net/2025/06/10/i...
12.06.2025 04:12 โ ๐ 6 ๐ 0 ๐ฌ 0 ๐ 0
Been on vacation, and I've had a lot at work, so I haven't updated the blog in the last 3 to 4 weeks.
I'm back now, and I was able to post some stuff that had backed up in my queue for the blog.
New entries for May 22nd, May 27th, and May 31st at www.malware-traffic-analysis.net/2025/index.h...
To be fair, I investigated a campaign that was pushing Lumma Stealer earlier this week but had switched to #StealC v2 malware earlier today (2025-05-22):
github.com/PaloAltoNetw...
So the disruption was at least somewhat effective based on what I'm seeing.
2025-05-22 (Thurs): After the #LummaStealer disruption, I found an active sample today, so how effective was the disruption, really?
SHA256 hash for the EXE:
8619bea9571a4dcc4b7f4ba494d444b8078d06dea385dc0caa2378e215636a65
Analysis:
- tria.ge/250523-afpxx...
- app.any.run/tasks/add82e...
Screenshot of Safari viewing a fake CAPTCHA page with instructions for ClickFix style script to infect a macOS host.
2025-05-14 (Wed): A reminder these fake CAPTCHA pages for #ClickFix infections can also leave instructions to infect macOS hosts.
Script had typo. I fixed it, but it still didn't work. Different GUIDs for different hosts
hxxps[:]//qv.gahq[.]ru/fdgv.sh/01234567-89ab-cdef-0123-456789abcdef.solve
