Brad2025-06-21 (Saturday): #KoiLoader / #KoiStealer infection.
A #pcap of the infection traffic, associated malware/files, and some of the indicators are available at https://www.malware-traffic-analysis.net/2025/06/21/index.html
2025-05-09 (Friday): #KoiLoader / #KoiStealer activity still happens. It's the same type of distribution chain and infection characteristics as always.
Example of downloaded zip archive available at:
- https://bazaar.abuse.ch/sample/3523653959c0083b7e106a71dd99acc03ccf09cb3452b9b65dcf17005917e389/
- https://tria.ge/250510-a2fw5sek3y
- https://app.any.run/tasks/3adefb51-8ab1-417e-9725-1848c0a071ee
2025-01-23 (Thursday): Windows EXE impersonating an installer submitted to VT on 2024-11-29 leads to #KoiLoader / #KoiStealer infection. A #pcap of the infection traffic, the associated malware/artifacts, and some of the indicators are available at https://malware-traffic-analysis.net/2025/01/23/index.html
I normally see Koi Loader/Stealer infection chains starting with zip-ed Windows shortcuts (.lnk files) from malicious sites[.]google[.]com URLs. This one started with a Windows EXE that caused the same type of PowerShell command line for Koi Loader/Stealer that I always see from those .lnk files.
Found the EXE to kick off this chain from a report by someone at the An Xin Threat Intelligence Center at: https://www.secrss.com/articles/73274
English ranslation: https://www-secrss-com.translate.goog/articles/73274?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
2025-01-21 (Tuesday): Quick post with a #pcap, malware/artifacts and IOCs for #KoiLoader / #KoiStealer activity at https://malware-traffic-analysis.net/2025/01/21/index.html
D3LabCampagne #Malware #Italy Week 25
β οΈπ£π₯π»
#Formbook: Pagamento
#AgentTesla: Ordine
#DanaBot: AgenziaEntrate
#KoiLoader - #KoiStealer: Resend
#StrelaStealer: Pagamenti
#Neshta: Ordini
